mark22k
/
ansible-crxn-router
mirror of https://codeberg.org/mark22k/ansible-crxn-router.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235
							#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    set icmp4 {
        type icmp_type . icmp_code;
        flags interval;
        elements = {
            echo-request . 0,
            echo-reply . 0,
            destination-unreachable . 0-15,
            time-exceeded . 0-1
        };
    }

    set icmp6 {
        type icmpv6_type . icmpv6_code;
        flags interval;
        elements = {
            destination-unreachable . 0-7,
            packet-too-big . 0,
            time-exceeded . 0-1,
            parameter-problem . 0-2,
            echo-request . 0,
            echo-reply . 0,
            nd-router-solicit . 0,
            nd-router-advert . 0,
            nd-neighbor-solicit . 0,
            nd-neighbor-advert . 0,
            ind-neighbor-solicit . 0,
            ind-neighbor-advert . 0
        };
    }

    set dnet_interfaces {
        type ifname;
        elements = {
            {% if peers is defined %}{% for peer in peers %}
            "{{ peer.interface }}",
            {% endfor %}{% endif %}
            {% for ct in crazytrace %}
            "{{ ct.interface }}",
            {% endfor %}
        };
    }

    set dnet_ipv6 {
        type ipv6_addr;
        flags interval;
        elements = {
            fd00::/8
        };
    }

    set own_nets6 {
        type ipv6_addr;
        flags interval;
        elements = {
            {{ routing.ownnet }}
        }
    }

    chain dnet_forward {
        meta protocol != ip6 counter drop;

        # Reject own network from peers
        {% for ct in crazytrace %}
        ip6 saddr @own_nets6 ip6 saddr {{ ct.prefix }}/64 iifname "{{ ct.interface }}" accept;
        {% endfor %}
        meta protocol ip6 ip6 saddr @own_nets6 counter drop;

        # Reject non-crxn addresses from peers
        meta protocol ip6 ip6 saddr != @dnet_ipv6 \
            log prefix "[nftables][dnet] Someone tried to forward with non-dnet source address: " counter reject;
        meta protocol ip6 ip6 daddr != @dnet_ipv6 \
            log prefix "[nftables][dnet] Someone tried to forward with non-dnet destination address: " counter reject;

        # Gather some statistics about possible attacks in the crxn
        tcp flags & (fin|psh|urg) == fin|psh|urg \
            log prefix "[nftables][dnet] Forward XMAS: " counter;
        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 \
            log prefix "[nftables][dnet] Forward TCP null package: " counter;
        tcp flags syn \
            tcp option maxseg size 1-535 \
            log prefix "[nftables][dnet] Forward invalid TCP MSS: " counter;
        meta nfproto ipv4 @nh,48,8 & 0x80 == 0x80 \
            log prefix "[nftables] Forward evil bit: " counter;

        counter accept;
    }
    chain dnet_input {
        {% for ct in crazytrace %}
        ip6 saddr @own_nets6 ip6 saddr {{ ct.prefix }}/64 iifname "{{ ct.interface }}" accept;
        {% endfor %}
        ip6 saddr @own_nets6 \
            log prefix "[nftables][dnet] Hjacking of the own network: " counter drop;
        ip6 saddr != @dnet_ipv6 ip6 saddr != fe80::/10 \
            log prefix "[nftables][dnet] Invalid source address: " counter drop;

        ip6 saddr fe80::/64 udp dport 6696 accept;
    }
 
    chain drop_evil_ct {
        # CT INVALID
        ct state invalid counter drop;

        # If a TCP is New and has no Syn Flag:
        tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop;
    }

    chain drop_evil {
        meta nfproto ipv4 @nh,48,8 & 0x80 == 0x80 \
            log prefix "[nftables] Evil bit: " counter;

        tcp flags & (fin|psh|urg) == fin|psh|urg \
            log prefix "[nftables] XMAS: " counter drop;
        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 \
            log prefix "[nftables] TCP null package: " counter drop;
        tcp flags syn \
            tcp option maxseg size 1-535 \
            log prefix "[nftables] Invalid TCP MSS: " counter drop;

        iifname != @dnet_interfaces iifname != "lo" ip6 saddr @dnet_ipv6 \
            log prefix "[nftables] Dnet packet on non-dnet interface: " counter drop;
    }

    chain common_input {
    }

    chain input {
        type filter hook input priority 0;
        policy drop;

        jump drop_evil;
        jump drop_evil_ct;

        # Anti-lockout
        tcp dport 22 accept;

        # Filter dnet connections
        iifname @dnet_interfaces jump dnet_input;

        ct state { established, related } accept;

        icmp type . icmp code @icmp4 accept;
        icmpv6 type . icmpv6 code @icmp6 accept;

        {% if firewall.alfis is defined %}
        tcp dport 4244 accept;
        {% endif %}

        {% if firewall.http is defined %}
        tcp dport 80 accept;
        {% endif %}

        {% if firewall.https is defined %}
        tcp dport 443 accept;
        {% endif %}

        # WireGuard
        {% set wg_peers = [] %}
        {% for peer in peers %}{% if peer.type == "wg" %}
            {% set _ = wg_peers.append(peer.wg.port) %}
        {% endif %}{% endfor %}
        {% if wg_peers %}
        udp dport { {{ wg_peers | join(",") }} } accept;
        {% endif %}

        # fastd
        {% set fastd_peers = [] %}
        {% for peer in peers %}{% if peer.type == "fastd" %}
            {% set _ = fastd_peers.append(peer.fastd.port) %}
        {% endif %}{% endfor %}
        {% if fastd_peers %}
        udp dport { {{ fastd_peers | join(",") }} } accept;
        {% endif %}

        # OpenVPN
        {% set openvpn_peers = [] %}
        {% for peer in peers %}{% if peer.type == "openvpn" %}
            {% set _ = openvpn_peers.append(peer.openvpn.port) %}
        {% endif %}{% endfor %}
        {% if openvpn_peers %}
        udp dport { {{ openvpn_peers | join(",") }} } accept;
        {% endif %}


        {% if babelweb2.nginx.telnet_proxy is defined and babelweb2.nginx.telnet_proxy %}
        # babelweb2 proxy
        tcp dport 33321 accept;
        {% endif %}

        {% if yggdrasil.listen is defined %}
        {% for item in yggdrasil.listen %}
        tcp dport {{ item.port }} accept;
        {% endfor %}
        {% endif %}

        {% if yggdrasil.multicast_discovery is defined %}
        {% for item in yggdrasil.multicast_discovery %}
        udp dport 9001 ip6 daddr ff02::114 iifname {{ item.interface }} accept;
        {% endfor %}
        {% endif %}

        {% for peer in peers if peer.type == "gre" %}
        ip protocol gre ip{% if ":" in peer.gre.endpoint %}:{% endif %} saddr {{ peer.gre.endpoint }} accept;
        {% endfor %}

        {% if firewall.rules is defined %}{% for rule in firewall.rules %}
        {{ rule }};
        {% endfor %}{% endif %}

        # UDP traceroute
        udp dport 33424-33689 ip6 saddr @dnet_ipv6 counter reject;

        # Accept all link local connections
        iifname lo ip daddr 127.0.0.1/8 counter accept;
        iifname lo ip6 daddr ::1/128 counter accept;

        # Log attempts from peers
        ip6 saddr fe80::/10 \
            log prefix "[nftables] Violation from peer: " counter;
    }
    chain forward {
        type filter hook forward priority 0;
        policy drop;

        iifname @dnet_interfaces oifname @dnet_interfaces goto dnet_forward;
    }
    chain output {
        type filter hook output priority 0;
    }
}