131 lines
3.3 KiB
Django/Jinja
131 lines
3.3 KiB
Django/Jinja
#!/usr/bin/env nft -f
|
||
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
flush ruleset
|
||
|
||
{% for V in ['4', '6'] %}
|
||
{% set v = V | replace('4', '') %}
|
||
{% macro trust(list) %}
|
||
{% for net in list.split(' ') %}
|
||
{% if not net is match('127(?:\.\d{1,3}){3}(?:/\d+)?|::1|^$') %}
|
||
{% if (net is match('\d{1,3}(?:\.\d{1,3}){3}(?:/\d+)?')
|
||
and V == '4') or (net is search(':') and V == '6') %}
|
||
{{caller(net)}}
|
||
{% endif %}
|
||
{% endif %}
|
||
{% endfor %}
|
||
{% endmacro %}
|
||
|
||
table ip{{v}} Inet{{V}} {
|
||
chain CheckNet {
|
||
{% call(net) trust(net_trusted_ranges) %}
|
||
ip{{v}} saddr {{net}} return
|
||
{% endcall %}
|
||
{% if V == '4' %}
|
||
reject with icmp type admin-prohibited
|
||
{% else %}
|
||
reject with icmpv6 type admin-prohibited
|
||
{% endif %}
|
||
}
|
||
chain FilterIn {
|
||
type filter hook input priority 0
|
||
policy drop
|
||
|
||
# allow established/related connections
|
||
ct state {established, related} accept
|
||
|
||
# early drop of invalid connections
|
||
ct state invalid drop
|
||
|
||
# allow from loopback
|
||
meta iif lo accept
|
||
|
||
# allow icmp
|
||
{% if V == '4' %}
|
||
ip protocol icmp accept
|
||
{% else %}
|
||
ip6 nexthdr icmpv6 accept
|
||
{% endif %}
|
||
|
||
# allow multicast (for DLNA)
|
||
meta pkttype multicast accept
|
||
|
||
# git/ssh
|
||
tcp dport 2222 accept
|
||
|
||
# kodi upnp
|
||
{% call(net) trust(net_trusted_ranges + ' ' + fw_dlna_clients) %}
|
||
tcp dport 1088 ip{{v}} saddr {{net}} accept
|
||
udp dport 1900 ip{{v}} saddr {{net}} accept
|
||
{% endcall %}
|
||
|
||
# minidlna
|
||
{% call(net) trust(net_trusted_ranges + ' ' + fw_dlna_clients) %}
|
||
tcp dport 8200 ip{{v}} saddr {{net}} accept
|
||
udp dport 8200 ip{{v}} saddr {{net}} accept
|
||
{% endcall %}
|
||
|
||
# trusted hosts
|
||
jump CheckNet
|
||
|
||
# ssh
|
||
tcp dport 22 accept
|
||
{% call(net) trust(DMZ_IP) %}
|
||
|
||
# lmtp
|
||
tcp dport 24 ip saddr {{net}} accept
|
||
{% endcall %}
|
||
|
||
# portmapper
|
||
tcp dport 111 accept
|
||
udp dport 111 accept
|
||
|
||
# imap
|
||
tcp dport 143 accept
|
||
tcp dport 220 accept
|
||
|
||
# ldap
|
||
tcp dport 389 accept
|
||
|
||
# cups
|
||
tcp dport 631 accept
|
||
|
||
# nfsd, statd (×2), mountd, lockd
|
||
tcp dport 2049 accept
|
||
udp dport 2049 accept
|
||
tcp dport 2050 accept
|
||
udp dport 2050 accept
|
||
tcp dport 2051 accept
|
||
udp dport 2051 accept
|
||
tcp dport 2052 accept
|
||
udp dport 2052 accept
|
||
tcp dport 2053 accept
|
||
udp dport 2053 accept
|
||
|
||
# pulseaudio
|
||
tcp dport 4713 accept
|
||
|
||
# zeroconf
|
||
udp dport 5353 accept
|
||
|
||
# sane
|
||
tcp dport 6515-6566 accept
|
||
|
||
# kodi
|
||
tcp dport 8080 accept
|
||
{% call(net) trust(DMZ_IP) %}
|
||
|
||
# libreoffice online
|
||
tcp dport 9980 ip saddr {{net}} accept
|
||
{% endcall %}
|
||
}
|
||
|
||
chain FilterOut {
|
||
type filter hook output priority 0
|
||
policy accept
|
||
}
|
||
}
|
||
{% endfor %}
|