From 945426edd468bfabfb21053c90901a39d244dd8e Mon Sep 17 00:00:00 2001
From: Alex Denes <caskd@redxen.eu>
Date: Fri, 28 Oct 2022 08:52:58 +0000
Subject: [PATCH] Add nnd-nft nftables base

---
 APKBUILD.template                             | 15 +++++++
 main/nnd-nft/APKBUILD                         | 24 +++++++++++
 .../nft/inet/nnd-base/filter/forward/vtun     |  2 +
 .../inet/nnd-base/filter/forward/wireguard    |  3 ++
 .../nnd-base/filter/input/allowed/dovecot     |  1 +
 .../nnd-base/filter/input/allowed/haproxy     |  1 +
 .../inet/nnd-base/filter/input/allowed/murmur |  2 +
 .../nnd-base/filter/input/allowed/openssh     |  1 +
 .../nnd-base/filter/input/allowed/postfix     |  1 +
 .../filter/input/allowed/transmission         |  2 +
 .../inet/nnd-base/filter/input/allowed/tshock |  1 +
 .../nnd-base/filter/input/allowed/unbound     |  2 +
 .../nnd-base/filter/input/allowed/wireguard   |  1 +
 .../nnd-base/filter/input/allowed/xonotic     |  1 +
 .../inet/nnd-base/filter/input/stateful/base  |  3 ++
 .../nft/inet/nnd-base/filter/output/base      |  2 +
 .../nft/inet/nnd-base/nat/postrouting/vtun    |  1 +
 .../inet/nnd-base/nat/postrouting/wireguard   |  2 +
 main/nnd-nft/nft/inet/nnd-base/table          | 43 +++++++++++++++++++
 main/nnd-nft/nft/loadall                      |  5 +++
 20 files changed, 113 insertions(+)
 create mode 100644 APKBUILD.template
 create mode 100644 main/nnd-nft/APKBUILD
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/forward/vtun
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/forward/wireguard
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/dovecot
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/haproxy
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/murmur
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/openssh
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/postfix
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/transmission
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/tshock
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/unbound
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/wireguard
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/xonotic
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/input/stateful/base
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/filter/output/base
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/nat/postrouting/vtun
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/nat/postrouting/wireguard
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/table
 create mode 100644 main/nnd-nft/nft/loadall

diff --git a/APKBUILD.template b/APKBUILD.template
new file mode 100644
index 0000000..7434a9c
--- /dev/null
+++ b/APKBUILD.template
@@ -0,0 +1,15 @@
+pkgname="${startdir##*/}"                   # Usually the package name is the same as the directory
+pkgver="$(date +'%Y.%m.%d')"                # Use current date as fallback
+url="https://git.redxen.eu/nnd"             # Upstream for package info
+arch="noarch"                               # Most things aren't arch specific
+license="none"                              # Can you even license configs?
+options="!check"                            # Usually software doesn't provide tests
+builddir="$srcdir"                          #
+
+_replace() {
+	sed -i -- "s/$1/$(printf "%s" "$2" | sed 's/[&/\]/\\&/g')/g" "$3"
+}
+
+_cpkgdir() {
+	echo "${subpkgdir:-${pkgdir}}"
+}
diff --git a/main/nnd-nft/APKBUILD b/main/nnd-nft/APKBUILD
new file mode 100644
index 0000000..33a28d3
--- /dev/null
+++ b/main/nnd-nft/APKBUILD
@@ -0,0 +1,24 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+
+. ../../APKBUILD.template
+
+pkgrel=0
+pkgdesc="Basic generic nftables template"
+options="!check" # check requires root?
+
+check() {
+	msg "Checking if commands are valid"
+	nft -c -I "$builddir/nft" -f "$builddir"/nft/loadall
+}
+
+prepare() {
+	default_prepare
+
+	cp -r "$startdir"/nft "$builddir"/nft # abuild doesn't support hierarchical includes yet, no hashes will be computed
+}
+
+package() {
+	mkdir -p "$pkgdir"/etc/nnd
+	cp -r "$builddir"/nft "$pkgdir"/etc/nnd/nftables
+}
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/forward/vtun b/main/nnd-nft/nft/inet/nnd-base/filter/forward/vtun
new file mode 100644
index 0000000..617dd10
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/forward/vtun
@@ -0,0 +1,2 @@
+ip saddr 172.24.0.0/24 oifname "eth0" counter accept;
+iifname "eth0" ip daddr 172.24.0.0/24 counter accept;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/forward/wireguard b/main/nnd-nft/nft/inet/nnd-base/filter/forward/wireguard
new file mode 100644
index 0000000..515f391
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/forward/wireguard
@@ -0,0 +1,3 @@
+iifname "rxmain" oifname "rxmain" counter accept;
+iifname "rxmain" oifname "eth0" counter accept;
+iifname "eth0" oifname "rxmain" counter accept;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/dovecot b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/dovecot
new file mode 100644
index 0000000..c45181a
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/dovecot
@@ -0,0 +1 @@
+tcp dport { 143, 993 } counter accept;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/haproxy b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/haproxy
new file mode 100644
index 0000000..9aeb20e
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/haproxy
@@ -0,0 +1 @@
+tcp dport { 80, 443, 2442 } counter accept;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/murmur b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/murmur
new file mode 100644
index 0000000..89203cf
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/murmur
@@ -0,0 +1,2 @@
+tcp dport 64738 counter accept;
+udp dport 64738 counter accept;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/openssh b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/openssh
new file mode 100644
index 0000000..6003683
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/openssh
@@ -0,0 +1 @@
+tcp dport 22 counter accept;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/postfix b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/postfix
new file mode 100644
index 0000000..6dd4b62
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/postfix
@@ -0,0 +1 @@
+tcp dport { 25, 465, 587 } counter accept;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/transmission b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/transmission
new file mode 100644
index 0000000..69bc1d0
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/transmission
@@ -0,0 +1,2 @@
+tcp dport 51413 counter accept;
+udp dport 51413 counter accept;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/tshock b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/tshock
new file mode 100644
index 0000000..e9d5012
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/tshock
@@ -0,0 +1 @@
+tcp dport 7777 counter accept;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/unbound b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/unbound
new file mode 100644
index 0000000..5d40dc8
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/unbound
@@ -0,0 +1,2 @@
+tcp dport 53 counter accept;
+udp dport 53 counter accept;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/wireguard b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/wireguard
new file mode 100644
index 0000000..cf10dd6
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/wireguard
@@ -0,0 +1 @@
+udp dport 51820 counter accept;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/xonotic b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/xonotic
new file mode 100644
index 0000000..0a038b6
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/allowed/xonotic
@@ -0,0 +1 @@
+udp dport 26000 counter accept;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/input/stateful/base b/main/nnd-nft/nft/inet/nnd-base/filter/input/stateful/base
new file mode 100644
index 0000000..91c2e7b
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/stateful/base
@@ -0,0 +1,3 @@
+# Ban if connection attempts are still made over the limit
+ct state new meter ban4  { ip  saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole4 { ip  saddr timeout 1h } counter reject;
+ct state new meter ban6  { ip6 saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole6 { ip6 saddr timeout 1h } counter reject;
diff --git a/main/nnd-nft/nft/inet/nnd-base/filter/output/base b/main/nnd-nft/nft/inet/nnd-base/filter/output/base
new file mode 100644
index 0000000..748c995
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/output/base
@@ -0,0 +1,2 @@
+ip  daddr @blackhole4 counter reject;
+ip6 daddr @blackhole6 counter reject;
diff --git a/main/nnd-nft/nft/inet/nnd-base/nat/postrouting/vtun b/main/nnd-nft/nft/inet/nnd-base/nat/postrouting/vtun
new file mode 100644
index 0000000..6cdefd4
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/nat/postrouting/vtun
@@ -0,0 +1 @@
+oifname "eth0" ip  saddr 172.24.0.0/24      counter masquerade; # SNAT MASQUERADE v4
diff --git a/main/nnd-nft/nft/inet/nnd-base/nat/postrouting/wireguard b/main/nnd-nft/nft/inet/nnd-base/nat/postrouting/wireguard
new file mode 100644
index 0000000..f7b59d7
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/nat/postrouting/wireguard
@@ -0,0 +1,2 @@
+oifname "eth0" ip  saddr 172.22.12.0/24      counter masquerade; # SNAT MASQUERADE v4
+oifname "eth0" ip6 saddr fd42:42:42::2:0/120 counter masquerade; #                 v6
diff --git a/main/nnd-nft/nft/inet/nnd-base/table b/main/nnd-nft/nft/inet/nnd-base/table
new file mode 100644
index 0000000..bfa4c79
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/table
@@ -0,0 +1,43 @@
+table inet nnd-base {
+	chain rxfilter {
+		type filter hook input priority 0;
+		policy reject;
+
+		ct state invalid counter drop;
+		icmpx            counter accept;
+
+		include "inet/nnd-base/filter/input/*";
+		counter reject with icmpx type admin-prohibited;
+	}
+	chain fwfilter {
+		type filter hook forward priority 0;
+		policy reject;
+		include "inet/nnd-base/filter/forward/*";
+		counter reject with icmpx type no-route;
+	}
+	chain txfilter {
+		type filter hook output priority 0;
+		policy accept;
+		include "inet/nnd-base/filter/output/*";
+	}
+	chain prenat {
+		type nat hook prerouting priority -100;
+		policy accept;
+		include "inet/nnd-base/nat/prerouting/*";
+	}
+	chain rxnat {
+		type nat hook input priority 100;
+		policy accept;
+		include "inet/nnd-base/nat/input/*";
+	}
+	chain txnat {
+		type nat hook output priority -100;
+		policy accept;
+		include "inet/nnd-base/nat/output/*";
+	}
+	chain postnat {
+		type nat hook postrouting priority 100;
+		policy accept;
+		include "inet/nnd-base/nat/postrouting/*";
+	}
+}
diff --git a/main/nnd-nft/nft/loadall b/main/nnd-nft/nft/loadall
new file mode 100644
index 0000000..d9a7bbc
--- /dev/null
+++ b/main/nnd-nft/nft/loadall
@@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+
+flush ruleset;
+
+include "*/*/table";