wolfhechel/Vagrantfile

## rules.v4
# http://kangran.su/~nnz/pub/nf-doc/nftables/nft.html
# http://wiki.nftables.org/wiki-nftables/index.php/Main_Page

define external = eth0
define internal = eth1

define dhcp_range = 192.168.1

# Clean out the current ruleset
flush ruleset

table firewall {

	set blacklist {
		type ipv4_addr
	}

	set tcp_open_ports {
		type inet_service

		elements = {
			ssh
		}
	}

	set udp_open_ports {
		type inet_service
	}

	chain incoming {
		type filter hook input priority 0

		# established/related connections
    	ct state established,related accept

    	# invalid connections
    	ct state invalid drop

    	# bad tcp -> avoid network scanning:
        tcp flags & (fin|syn) == (fin|syn)						drop
        tcp flags & (syn|rst) == (syn|rst)						drop
        tcp flags & (fin|syn|rst|psh|ack|urg) < (fin)			drop
        tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)	drop

        # no ping floods:
        ip protocol icmp limit rate 10/second accept
        ip protocol icmp drop

		# drop connections from blacklisted addresses
		ip saddr @blacklist drop

		# accept input from loopback and internal interfaces
		iif { lo, $internal } accept

		# avoid brute force on ssh:
        tcp dport ssh limit rate 15/minute accept

        # allow open tcp ports
        tcp dport @tcp_open_ports accept

        # allow open udp ports
        udp dport @udp_open_ports accept

		reject
	}

	chain forwarding {
		type filter hook forward priority 0

		iif $external oif $internal ct state established,related accept
		iif $internal oif $external accept
	}

	chain outgoing {
		type filter hook output priority 0
	}
}

table nat {
	map tcp_forwarding {
		type inet_service : ipv4_addr
	}

	map udp_forwarding {
		type inet_service : ipv4_addr
	}

	chain prerouting {
		type nat hook prerouting priority 0
	}

	chain postrouting {
		type nat hook postrouting priority 0

		oif $external masquerade
	}
}

## Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :

# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
VAGRANTFILE_API_VERSION = '2'

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  # All Vagrant configuration is done here. The most common configuration
  # options are documented and commented below. For a complete reference,
  # please see the online documentation at vagrantup.com.

  # Every Vagrant virtual environment requires a box to build off of.
  config.vm.box = 'archlinux64'

  config.vm.define 'client' do |client|
    client.vm.network :private_network, ip: '192.168.33.100', auto_config: false
  end

  config.vm.define "router", primary: true do |router|
    router.vm.network :private_network, ip: '192.168.33.1', auto_config: false
  end
end
	# http://kangran.su/~nnz/pub/nf-doc/nftables/nft.html
	# http://wiki.nftables.org/wiki-nftables/index.php/Main_Page

	define external = eth0
	define internal = eth1

	define dhcp_range = 192.168.1

	# Clean out the current ruleset
	flush ruleset

	table firewall {

	set blacklist {
	type ipv4_addr
	}

	set tcp_open_ports {
	type inet_service

	elements = {
	ssh
	}
	}

	set udp_open_ports {
	type inet_service
	}

	chain incoming {
	type filter hook input priority 0

	# established/related connections
	ct state established,related accept

	# invalid connections
	ct state invalid drop

	# bad tcp -> avoid network scanning:
	tcp flags & (fin\|syn) == (fin\|syn) drop
	tcp flags & (syn\|rst) == (syn\|rst) drop
	tcp flags & (fin\|syn\|rst\|psh\|ack\|urg) < (fin) drop
	tcp flags & (fin\|syn\|rst\|psh\|ack\|urg) == (fin\|psh\|urg) drop

	# no ping floods:
	ip protocol icmp limit rate 10/second accept
	ip protocol icmp drop

	# drop connections from blacklisted addresses
	ip saddr @blacklist drop

	# accept input from loopback and internal interfaces
	iif { lo, $internal } accept

	# avoid brute force on ssh:
	tcp dport ssh limit rate 15/minute accept

	# allow open tcp ports
	tcp dport @tcp_open_ports accept

	# allow open udp ports
	udp dport @udp_open_ports accept

	reject
	}

	chain forwarding {
	type filter hook forward priority 0

	iif $external oif $internal ct state established,related accept
	iif $internal oif $external accept
	}

	chain outgoing {
	type filter hook output priority 0
	}
	}

	table nat {
	map tcp_forwarding {
	type inet_service : ipv4_addr
	}

	map udp_forwarding {
	type inet_service : ipv4_addr
	}

	chain prerouting {
	type nat hook prerouting priority 0
	}

	chain postrouting {
	type nat hook postrouting priority 0

	oif $external masquerade
	}
	}
	# -- mode: ruby --
	# vi: set ft=ruby :

	# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
	VAGRANTFILE_API_VERSION = '2'

	Vagrant.configure(VAGRANTFILE_API_VERSION) do \|config\|
	# All Vagrant configuration is done here. The most common configuration
	# options are documented and commented below. For a complete reference,
	# please see the online documentation at vagrantup.com.

	# Every Vagrant virtual environment requires a box to build off of.
	config.vm.box = 'archlinux64'

	config.vm.define 'client' do \|client\|
	client.vm.network :private_network, ip: '192.168.33.100', auto_config: false
	end

	config.vm.define "router", primary: true do \|router\|
	router.vm.network :private_network, ip: '192.168.33.1', auto_config: false
	end
	end