home-server/roles/nftables_back/templates/nftables.conf.j2

#!/usr/bin/env nft -f
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

flush ruleset

{% for V in ['4', '6']                                             %}
{%   set v = V | replace('4', '')                                  %}
{%   macro trust(list)                                             %}
{%     for net in list.split(' ')                                  %}
{%       if not net is match('127(?:\.\d{1,3}){3}(?:/\d+)?|::1|^$') %}
{%         if (net is match('\d{1,3}(?:\.\d{1,3}){3}(?:/\d+)?')
           and V == '4') or (net is search(':') and V == '6')      %}
{{caller(net)}}
{%         endif                                                   %}
{%       endif                                                     %}
{%     endfor                                                      %}
{%   endmacro                                                      %}

table ip{{v}} Inet{{V}} {
  chain CheckNet {
{% call(net) trust(net_trusted_ranges) %}
    ip{{v}} saddr {{net}} return
{% endcall %}
{% if V == '4' %}
    reject with icmp type admin-prohibited
{% else %}
    reject with icmpv6 type admin-prohibited
{% endif %}
  }
  chain FilterIn {
    type filter hook input priority 0
    policy drop

    # allow established/related connections
    ct state {established, related} accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    meta iif lo accept

    # allow icmp
{% if V == '4' %}
    ip protocol icmp accept
{% else %}
    ip6 nexthdr icmpv6 accept
{% endif %}

    # allow multicast (for DLNA)
    meta pkttype multicast accept

    # git/ssh
    tcp dport 2222 accept

    # kodi upnp
{% call(net) trust(net_trusted_ranges + ' ' + fw_dlna_clients) %}
    tcp dport 1088 ip{{v}} saddr {{net}} accept
    udp dport 1900 ip{{v}} saddr {{net}} accept
{% endcall %}

    # minidlna
{% call(net) trust(net_trusted_ranges + ' ' + fw_dlna_clients) %}
    tcp dport 8200 ip{{v}} saddr {{net}} accept
    udp dport 8200 ip{{v}} saddr {{net}} accept
{% endcall %}

    # trusted hosts
    jump CheckNet

    # ssh
    tcp dport 22 accept
{% call(net) trust(DMZ_IP) %}

    # lmtp
    tcp dport 24 ip saddr {{net}} accept
{% endcall %}

    # portmapper
    tcp dport 111 accept
    udp dport 111 accept

    # imap
    tcp dport 143 accept
    tcp dport 220 accept

    # ldap
    tcp dport 389 accept

    # cups
    tcp dport 631 accept

    # nfsd, statd (×2), mountd, lockd
    tcp dport 2049 accept
    udp dport 2049 accept
    tcp dport 2050 accept
    udp dport 2050 accept
    tcp dport 2051 accept
    udp dport 2051 accept
    tcp dport 2052 accept
    udp dport 2052 accept
    tcp dport 2053 accept
    udp dport 2053 accept

    # pulseaudio
    tcp dport 4713 accept

    # zeroconf
    udp dport 5353 accept

    # sane
    tcp dport 6515-6566 accept

    # kodi
    tcp dport 8080 accept
{% call(net) trust(DMZ_IP) %}

    # libreoffice online
    tcp dport 9980 ip saddr {{net}} accept
{% endcall %}
  }

  chain FilterOut {
    type filter hook output priority 0
    policy accept
  }
}
{% endfor                                                          %}