feat: Add backup and security hardening

2025-11-08 00:28:17 +01:00
parent 8de3f16ee6
commit 96f521a474
23 changed files with 5696 additions and 939 deletions
--- a/scripts/security-setup/nftables.conf
+++ b/scripts/security-setup/nftables.conf
@@ -0,0 +1,112 @@
+#!/usr/sbin/nft -f
+# nftables configuration for Gentoo workstation
+# Security-focused firewall with Docker support
+
+# Flush existing ruleset
+flush ruleset
+
+# Define variables
+define lan_interface = "wlp194s0"
+define nas_ip = 192.168.2.171
+define ssh_port = 22
+
+table inet filter {
+  # Rate limiting for connection attempts
+  set ratelimit_ssh {
+    type ipv4_addr
+    flags timeout
+    timeout 5m
+  }
+
+  set blocklist {
+    type ipv4_addr
+    flags timeout
+    timeout 1h
+  }
+
+  chain input {
+    type filter hook input priority filter; policy drop;
+
+    # Allow established and related connections
+    ct state established,related accept
+
+    # Allow loopback
+    iif "lo" accept
+
+    # Drop invalid packets
+    ct state invalid drop
+
+    # Allow ICMP (ping) with rate limiting
+    ip protocol icmp icmp type {
+      echo-request,
+      destination-unreachable,
+      time-exceeded
+    } limit rate 5/second accept
+
+    # Allow ICMPv6 (if needed in future)
+    ip6 nexthdr icmpv6 icmpv6 type {
+      echo-request,
+      destination-unreachable,
+      packet-too-big,
+      time-exceeded,
+      parameter-problem,
+      nd-router-advert,
+      nd-neighbor-solicit,
+      nd-neighbor-advert
+    } limit rate 5/second accept
+
+    # Allow SSH from LAN only with rate limiting
+    ip saddr @blocklist drop
+    tcp dport $ssh_port ip saddr @ratelimit_ssh drop
+    tcp dport $ssh_port ct state new \
+      add @ratelimit_ssh { ip saddr limit rate 3/minute } accept
+
+    # Allow mDNS for local network discovery
+    udp dport 5353 ip daddr 224.0.0.251 accept
+    udp dport 5353 ip6 daddr ff02::fb accept
+
+    # Allow DHCPv6 client
+    udp sport 546 udp dport 547 accept
+
+    # Log dropped packets (optional - comment out if too noisy)
+    # limit rate 5/minute log prefix "nftables-drop: "
+
+    # Drop everything else
+    drop
+  }
+
+  chain forward {
+    type filter hook forward priority filter; policy drop;
+
+    # Allow established and related connections
+    ct state established,related accept
+
+    # Drop invalid packets
+    ct state invalid drop
+
+    # Docker containers (if needed)
+    # Uncomment if using Docker bridge networking
+    # iifname "docker0" accept
+    # oifname "docker0" accept
+
+    # Drop everything else
+    drop
+  }
+
+  chain output {
+    type filter hook output priority filter; policy accept;
+
+    # Allow all outgoing by default (workstation)
+    accept
+  }
+}
+
+# Separate table for NAT (if needed for Docker)
+table ip nat {
+  chain postrouting {
+    type nat hook postrouting priority srcnat; policy accept;
+
+    # Docker NAT (uncomment if using Docker)
+    # oifname $lan_interface masquerade
+  }
+}