nftables-examples/example-desktop2.nft at main · santost12/nftables-examples · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/usr/sbin/nft -f

flush ruleset

define LAN_NIC = enp4s0
define VM_NIC = virbr0

define HOME_IPV4 = {
  192.168.2.0/24
}

define HOME_IPV6 = {
  2001:5b0::/32
}

define VM_IPV4 = {
  192.168.122.0/24
}

define VM_IPV6 = {
  fd26:afd1:4238:1000::/64
}

define PRIVATE_IPV4 = {
  10.0.0.0/8,
  192.168.0.0/16,
  172.16.0.0/12
}

define PRIVATE_IPV6 = {
  fe80::/10,
  fd00::/8
}

table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ct state invalid counter drop comment "early drop of invalid packets"
                ct state {established, related} counter accept comment "accept all connections related to connections made by us"
                meta l4proto icmp icmp type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"
                meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"
                iif lo accept comment "accept loopback"
                iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
                iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
                ip protocol icmp counter accept comment "accept all ICMP types"
                ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
                udp dport 5353 accept comment "mDNS"

                # SSH
                tcp dport 22 accept

                # SMB
                tcp dport {139,445} ip saddr {$PRIVATE_IPV4} accept
                tcp dport {139,445} ip6 saddr {$PRIVATE_IPV6} accept

                # NetBIOS
                udp dport {137,138} ip saddr {$PRIVATE_IPV4} accept
                udp dport {137,138} ip6 saddr {$PRIVATE_IPV6} accept

                # WSDD
                tcp dport 5357 accept
                udp dport 3702 accept

		# VNC
		tcp dport 5900 ip saddr {$HOME_IPV4} accept
		tcp dport 5900 ip6 saddr {$HOME_IPV6} accept

		# DNS for VMs
		tcp dport 53 iifname {$VM_NIC} accept
		udp dport 53 iifname {$VM_NIC} accept

		# DHCP for VMs
		udp dport 67 iifname {$VM_NIC} accept
        }

        chain forward {
                type filter hook forward priority 0; policy drop;

		# VM net
		iifname {$VM_NIC} oifname {$LAN_NIC} accept
		iifname {$LAN_NIC} oifname {$VM_NIC} accept
        }

        chain prerouting {
                type nat hook prerouting priority -100; policy accept;

        }

        chain postrouting {
                type nat hook postrouting priority 100; policy accept;

                # VM NAT
                iifname {$VM_NIC} oifname {$LAN_NIC} masquerade
                ip6 saddr {$VM_IPV6} oifname {$LAN_NIC} masquerade
        }

        chain output {
                type filter hook output priority 0; policy accept;

        }
}