Add nftables package
This commit is contained in:
parent
9d54929f98
commit
dd74783d21
|
@ -0,0 +1,64 @@
|
|||
# Contributor: Alex Denes <caskd@redxen.eu>
|
||||
# Maintainer: Alex Denes <caskd@redxen.eu>
|
||||
|
||||
. ../APKBUILD-config.template
|
||||
|
||||
pkgver=2021.06.19.04
|
||||
pkgrel=0
|
||||
options="!check" # check requires root???????
|
||||
|
||||
subpackages="
|
||||
$pkgname-base
|
||||
$pkgname-openssh
|
||||
$pkgname-haproxy:_defmodule
|
||||
$pkgname-murmur:_defmodule
|
||||
$pkgname-dovecot:_defmodule
|
||||
$pkgname-postfix:_defmodule
|
||||
$pkgname-wireguard:_defmodule
|
||||
$pkgname-unbound:_defmodule
|
||||
$pkgname-transmission:_defmodule
|
||||
"
|
||||
|
||||
check() {
|
||||
msg "Checking if commands are valid"
|
||||
nft -c -I "$builddir/nft" -f "$builddir"/nft/loadall
|
||||
}
|
||||
|
||||
prepare() {
|
||||
default_prepare
|
||||
|
||||
cp -r "$startdir"/nft "$builddir"/nft # abuild doesn't support hierarchical includes yet, no hashes will be computed
|
||||
}
|
||||
|
||||
package() {
|
||||
rx_install "nft/loadall"
|
||||
for x in "$builddir"/nft/*/*/table; do
|
||||
fnc="${x##$builddir/nft/}"
|
||||
_rx_installdir="$_rx_installdir/${fnc%/*}" rx_install "$x"
|
||||
done
|
||||
}
|
||||
|
||||
base() {
|
||||
_modname="${subpkgname##$pkgname-}"
|
||||
install_if="$pkgname"
|
||||
_module "$_modname"
|
||||
}
|
||||
|
||||
openssh() {
|
||||
_modname="${subpkgname##$pkgname-}"
|
||||
install_if="$pkgname $_modname"
|
||||
_module "$_modname"
|
||||
}
|
||||
|
||||
_defmodule() {
|
||||
_modname="${subpkgname##$pkgname-}"
|
||||
install_if="$pkgname redxen-config-$_modname"
|
||||
_module "$_modname"
|
||||
}
|
||||
|
||||
_module() {
|
||||
for x in $(find "$builddir"/nft -name "$1"); do
|
||||
fnc="${x##$builddir/nft/}"
|
||||
_rx_installdir="$_rx_installdir/${fnc%/*}" rx_install "$x"
|
||||
done
|
||||
}
|
|
@ -0,0 +1,2 @@
|
|||
iifname "rxmain" oifname "eth0" counter accept
|
||||
iifname "eth0" oifname "rxmain" counter accept
|
|
@ -0,0 +1,2 @@
|
|||
tcp dport 143 counter accept;
|
||||
tcp dport 993 counter accept;
|
|
@ -0,0 +1,3 @@
|
|||
tcp dport 80 counter accept;
|
||||
tcp dport 443 counter accept;
|
||||
tcp dport 2442 counter accept; # Gitea SSH
|
|
@ -0,0 +1,2 @@
|
|||
tcp dport 64738 counter accept;
|
||||
udp dport 64738 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 22 counter accept;
|
|
@ -0,0 +1,3 @@
|
|||
tcp dport 25 counter accept;
|
||||
tcp dport 465 counter accept;
|
||||
tcp dport 587 counter accept;
|
|
@ -0,0 +1,2 @@
|
|||
tcp dport 51413 counter accept;
|
||||
udp dport 51413 counter accept;
|
|
@ -0,0 +1,2 @@
|
|||
tcp dport 53 counter accept;
|
||||
udp dport 53 counter accept;
|
|
@ -0,0 +1 @@
|
|||
udp dport 51820 counter accept;
|
|
@ -0,0 +1,3 @@
|
|||
ct state invalid counter drop;
|
||||
ip saddr @blackhole4 counter drop;
|
||||
ip6 saddr @blackhole6 counter drop;
|
|
@ -0,0 +1 @@
|
|||
ct state related,established counter accept;
|
|
@ -0,0 +1,2 @@
|
|||
ct state new iifname "eth0" limit rate over 1/second burst 50 packets add @blackhole4 { ip saddr } counter;
|
||||
ct state new iifname "eth0" limit rate over 1/second burst 50 packets add @blackhole6 { ip6 saddr } counter;
|
|
@ -0,0 +1,4 @@
|
|||
tcp dport 143 ct state new limit rate over 4/minute burst 10 packets add @blackhole4 { ip saddr } counter;
|
||||
tcp dport 143 ct state new limit rate over 4/minute burst 10 packets add @blackhole6 { ip6 saddr } counter;
|
||||
tcp dport 993 ct state new limit rate over 4/minute burst 10 packets add @blackhole4 { ip saddr } counter;
|
||||
tcp dport 993 ct state new limit rate over 4/minute burst 10 packets add @blackhole6 { ip6 saddr } counter;
|
|
@ -0,0 +1,6 @@
|
|||
tcp dport 25 ct state new limit rate over 4/minute burst 20 packets add @blackhole4 { ip saddr } counter;
|
||||
tcp dport 25 ct state new limit rate over 4/minute burst 20 packets add @blackhole6 { ip6 saddr } counter;
|
||||
tcp dport 465 ct state new limit rate over 4/minute burst 20 packets add @blackhole4 { ip saddr } counter;
|
||||
tcp dport 465 ct state new limit rate over 4/minute burst 20 packets add @blackhole6 { ip6 saddr } counter;
|
||||
tcp dport 587 ct state new limit rate over 4/minute burst 20 packets add @blackhole4 { ip saddr } counter;
|
||||
tcp dport 587 ct state new limit rate over 4/minute burst 20 packets add @blackhole6 { ip6 saddr } counter;
|
|
@ -0,0 +1,4 @@
|
|||
iifname "lo" counter accept; # Loopback
|
||||
iifname "eth1" counter accept; # Private network
|
||||
icmp type { echo-request } counter accept;
|
||||
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept;
|
|
@ -0,0 +1,2 @@
|
|||
oifname "eth0" ip saddr 172.22.12.0/24 counter masquerade; # SNAT MASQUERADE v4
|
||||
oifname "eth0" ip6 saddr fd42:42:42::2:0/120 counter masquerade; # v6
|
|
@ -0,0 +1,63 @@
|
|||
table inet redxenfirewall {
|
||||
|
||||
set blackhole4 {
|
||||
type ipv4_addr;
|
||||
timeout 4h;
|
||||
flags timeout;
|
||||
}
|
||||
|
||||
set blackhole6 {
|
||||
type ipv6_addr;
|
||||
timeout 4h;
|
||||
flags timeout;
|
||||
}
|
||||
|
||||
chain rxfi {
|
||||
type filter hook input priority 0;
|
||||
policy drop;
|
||||
include "inet/redxenfirewall/filter/input/blocked/*";
|
||||
include "inet/redxenfirewall/filter/input/trusted/*";
|
||||
include "inet/redxenfirewall/filter/input/stateful/*";
|
||||
include "inet/redxenfirewall/filter/input/allowed/*";
|
||||
include "inet/redxenfirewall/filter/input/established/*";
|
||||
counter reject with icmpx type admin-prohibited;
|
||||
}
|
||||
|
||||
chain fwfi {
|
||||
type filter hook forward priority 0;
|
||||
policy drop;
|
||||
include "inet/redxenfirewall/filter/forward/*";
|
||||
counter reject with icmpx type no-route;
|
||||
}
|
||||
|
||||
chain txfi {
|
||||
type filter hook output priority 0;
|
||||
policy accept;
|
||||
include "inet/redxenfirewall/filter/output/*";
|
||||
}
|
||||
|
||||
chain prenat {
|
||||
type nat hook prerouting priority -100;
|
||||
policy accept;
|
||||
include "inet/redxenfirewall/nat/prerouting/*";
|
||||
}
|
||||
|
||||
chain rxnat {
|
||||
type nat hook input priority 100;
|
||||
policy accept;
|
||||
include "inet/redxenfirewall/nat/input/*";
|
||||
}
|
||||
|
||||
chain txnat {
|
||||
type nat hook output priority -100;
|
||||
policy accept;
|
||||
include "inet/redxenfirewall/nat/output/*";
|
||||
}
|
||||
|
||||
chain postnat {
|
||||
type nat hook postrouting priority 100;
|
||||
policy accept;
|
||||
include "inet/redxenfirewall/nat/postrouting/*";
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
#!/usr/sbin/nft -f
|
||||
|
||||
flush ruleset;
|
||||
|
||||
include "*/*/table";
|
|
@ -0,0 +1,12 @@
|
|||
# Contributor: Alex Denes <caskd@redxen.eu>
|
||||
# Maintainer: Alex Denes <caskd@redxen.eu>
|
||||
|
||||
. ../APKBUILD-openrc.template
|
||||
|
||||
pkgver=2021.06.19.01
|
||||
pkgrel=5
|
||||
|
||||
sha512sums="
|
||||
c360ac162ec5d98d57cdea7c77358ba7367c088d24b93500fd2224fd86a5514b110b17ad5471e24b9a7adb9fe0db70e006c93487590d4d6ec7f46f267b1091a6 runfile
|
||||
b186de2902ef2bae19a11d306440c0f5890eba6e438957c377c04a7980fb58597e742009cc4c87d9c0b83a94a2176acd20c59646dd973976d34066201e10af61 conffile
|
||||
"
|
|
@ -0,0 +1,2 @@
|
|||
rules_directory="/etc/redxen/nftables"
|
||||
rules_file="${rules_directory}/loadall"
|
|
@ -0,0 +1,128 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 2014 Nicholas Vinson
|
||||
# Copyright 1999-2014 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
extra_commands="checkconfig list panic save"
|
||||
extra_started_commands="reload"
|
||||
|
||||
description="Manage nftable based firewall."
|
||||
description_checkconfig="Check validity of rulesets on disk without applying changes."
|
||||
description_save="Save current nftables rulesets to disk."
|
||||
description_list="Displays the current nftables ruleset."
|
||||
description_panic="Immediately drop all packets on all interfaces."
|
||||
description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
|
||||
|
||||
# Uppercase variables are there for backward compatibility.
|
||||
: ${rules_file:="/etc/nftables.nft"}
|
||||
: ${rules_directory:="/etc/nftables.d"}
|
||||
: ${save_options:="-n"}
|
||||
: ${save_on_stop:="no"}
|
||||
: ${enable_forwarding:="no"}
|
||||
|
||||
depend() {
|
||||
need localmount
|
||||
after sysctl
|
||||
before net
|
||||
provide firewall
|
||||
}
|
||||
|
||||
start_pre() {
|
||||
checkkernel && checkconfig
|
||||
}
|
||||
|
||||
list() {
|
||||
nft list ruleset
|
||||
}
|
||||
|
||||
panic() {
|
||||
checkkernel || return 1
|
||||
|
||||
if service_started "$RC_SVCNAME"; then
|
||||
stop
|
||||
fi
|
||||
|
||||
ebegin "Dropping all packets"
|
||||
nft -f /dev/stdin <<-EOF
|
||||
flush ruleset
|
||||
table inet filter {
|
||||
chain input { type filter hook input priority 0; policy drop; }
|
||||
chain forward { type filter hook forward priority 0; policy drop; }
|
||||
chain output { type filter hook output priority 0; policy drop; }
|
||||
}
|
||||
EOF
|
||||
eend $?
|
||||
}
|
||||
|
||||
reload() {
|
||||
start
|
||||
}
|
||||
|
||||
save() {
|
||||
ebegin "Saving nftables state"
|
||||
|
||||
checkpath -q -d "${rules_file%/*}"
|
||||
checkpath -q -m 0600 -f "$rules_file"
|
||||
|
||||
local tmp_save="$rules_file.tmp"
|
||||
|
||||
echo 'flush ruleset' > "$tmp_save"
|
||||
nft list ruleset >> "$tmp_save"; local retval=$?
|
||||
|
||||
[ $retval -eq 0 ] && mv "$tmp_save" "$rules_file"
|
||||
|
||||
return $retval
|
||||
}
|
||||
|
||||
start() {
|
||||
ebegin "Loading nftables state and starting firewall"
|
||||
|
||||
nft -I "$rules_directory" -f "$rules_file"
|
||||
eend $? || return 1
|
||||
|
||||
if yesno "$enable_forwarding"; then
|
||||
ebegin "Enabling forwarding"
|
||||
forwarding 1
|
||||
eend $? || return 1
|
||||
fi
|
||||
}
|
||||
|
||||
stop() {
|
||||
if yesno "$save_on_stop"; then
|
||||
save || return 1
|
||||
fi
|
||||
|
||||
if yesno "$enable_forwarding"; then
|
||||
ebegin "Disabling forwarding"
|
||||
forwarding 0
|
||||
eend $?
|
||||
fi
|
||||
|
||||
ebegin "Stopping firewall"
|
||||
nft flush ruleset
|
||||
eend $?
|
||||
}
|
||||
|
||||
checkconfig() {
|
||||
if [ ! -f "$rules_file" ]; then
|
||||
eerror "Rules files $rules_file does not exist!"
|
||||
return 1
|
||||
fi
|
||||
nft -c -I "$rules_directory" -f "$rules_file"
|
||||
}
|
||||
|
||||
checkkernel() {
|
||||
if ! nft list tables >/dev/null 2>&1; then
|
||||
eerror "Your kernel lacks nftables support, please load"
|
||||
eerror "appropriate modules and try again."
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
forwarding() {
|
||||
/sbin/sysctl -qw \
|
||||
net.ipv4.ip_forward=$1 \
|
||||
net.ipv6.conf.default.forwarding=$1 \
|
||||
net.ipv6.conf.all.forwarding=$1
|
||||
}
|
Loading…
Reference in New Issue