113 lines
2.6 KiB
Plaintext
113 lines
2.6 KiB
Plaintext
#!/usr/sbin/nft -f
|
|
# nftables configuration for Gentoo workstation
|
|
# Security-focused firewall with Docker support
|
|
|
|
# Flush existing ruleset
|
|
flush ruleset
|
|
|
|
# Define variables
|
|
define lan_interface = "wlp194s0"
|
|
define nas_ip = 192.168.2.171
|
|
define ssh_port = 22
|
|
|
|
table inet filter {
|
|
# Rate limiting for connection attempts
|
|
set ratelimit_ssh {
|
|
type ipv4_addr
|
|
flags timeout
|
|
timeout 5m
|
|
}
|
|
|
|
set blocklist {
|
|
type ipv4_addr
|
|
flags timeout
|
|
timeout 1h
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority filter; policy drop;
|
|
|
|
# Allow established and related connections
|
|
ct state established,related accept
|
|
|
|
# Allow loopback
|
|
iif "lo" accept
|
|
|
|
# Drop invalid packets
|
|
ct state invalid drop
|
|
|
|
# Allow ICMP (ping) with rate limiting
|
|
ip protocol icmp icmp type {
|
|
echo-request,
|
|
destination-unreachable,
|
|
time-exceeded
|
|
} limit rate 5/second accept
|
|
|
|
# Allow ICMPv6 (if needed in future)
|
|
ip6 nexthdr icmpv6 icmpv6 type {
|
|
echo-request,
|
|
destination-unreachable,
|
|
packet-too-big,
|
|
time-exceeded,
|
|
parameter-problem,
|
|
nd-router-advert,
|
|
nd-neighbor-solicit,
|
|
nd-neighbor-advert
|
|
} limit rate 5/second accept
|
|
|
|
# Allow SSH from LAN only with rate limiting
|
|
ip saddr @blocklist drop
|
|
tcp dport $ssh_port ip saddr @ratelimit_ssh drop
|
|
tcp dport $ssh_port ct state new \
|
|
add @ratelimit_ssh { ip saddr limit rate 3/minute } accept
|
|
|
|
# Allow mDNS for local network discovery
|
|
udp dport 5353 ip daddr 224.0.0.251 accept
|
|
udp dport 5353 ip6 daddr ff02::fb accept
|
|
|
|
# Allow DHCPv6 client
|
|
udp sport 546 udp dport 547 accept
|
|
|
|
# Log dropped packets (optional - comment out if too noisy)
|
|
# limit rate 5/minute log prefix "nftables-drop: "
|
|
|
|
# Drop everything else
|
|
drop
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority filter; policy drop;
|
|
|
|
# Allow established and related connections
|
|
ct state established,related accept
|
|
|
|
# Drop invalid packets
|
|
ct state invalid drop
|
|
|
|
# Docker containers (if needed)
|
|
# Uncomment if using Docker bridge networking
|
|
# iifname "docker0" accept
|
|
# oifname "docker0" accept
|
|
|
|
# Drop everything else
|
|
drop
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority filter; policy accept;
|
|
|
|
# Allow all outgoing by default (workstation)
|
|
accept
|
|
}
|
|
}
|
|
|
|
# Separate table for NAT (if needed for Docker)
|
|
table ip nat {
|
|
chain postrouting {
|
|
type nat hook postrouting priority srcnat; policy accept;
|
|
|
|
# Docker NAT (uncomment if using Docker)
|
|
# oifname $lan_interface masquerade
|
|
}
|
|
}
|