ansible-crxn-router/roles/config-nftables/templates/rules.j2

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    set icmp4 {
        type icmp_type . icmp_code;
        flags interval;
        elements = {
            echo-request . 0,
            echo-reply . 0,
            destination-unreachable . 0-15,
            time-exceeded . 0-1
        };
    }

    set icmp6 {
        type icmpv6_type . icmpv6_code;
        flags interval;
        elements = {
            destination-unreachable . 0-7,
            packet-too-big . 0,
            time-exceeded . 0-1,
            parameter-problem . 0-2,
            echo-request . 0,
            echo-reply . 0,
            nd-router-solicit . 0,
            nd-router-advert . 0,
            nd-neighbor-solicit . 0,
            nd-neighbor-advert . 0,
            ind-neighbor-solicit . 0,
            ind-neighbor-advert . 0
        };
    }

    set dnet_interfaces {
        type ifname;
        elements = {
            {% if peers is defined %}{% for peer in peers %}
            "{{ peer.interface }}",
            {% endfor %}{% endif %}
            {% for ct in crazytrace %}
            "{{ ct.interface }}",
            {% endfor %}
        };
    }

    set dnet_ipv6 {
        type ipv6_addr;
        flags interval;
        elements = {
            fd00::/8
        };
    }

    set own_nets6 {
        type ipv6_addr;
        flags interval;
        elements = {
            {{ routing.ownnet }}
        }
    }

    set tailscale4 {
        type ipv4_addr;
        flags interval;
        elements = { 100.64.0.0/10 }
    }

    set tailscale6 {
        type ipv6_addr;
        flags interval;
        elements = { fd7a:115c:a1e0::/96 }
    }

    chain dnet_forward {
        meta protocol != ip6 counter drop;

        # Reject own network from peers
        {% for ct in crazytrace %}
        ip6 saddr @own_nets6 ip6 saddr {{ ct.prefix }}/64 iifname "{{ ct.interface }}" accept;
        {% endfor %}
        meta protocol ip6 ip6 saddr @own_nets6 counter drop;

        # Reject non-crxn addresses from peers
        meta protocol ip6 ip6 saddr != @dnet_ipv6 \
            log prefix "[nftables][dnet] Someone tried to forward with non-dnet source address: " counter reject;
        meta protocol ip6 ip6 daddr != @dnet_ipv6 \
            log prefix "[nftables][dnet] Someone tried to forward with non-dnet destination address: " counter reject;

        # Gather some statistics about possible attacks in the crxn
        tcp flags & (fin|psh|urg) == fin|psh|urg \
            log prefix "[nftables][dnet] Forward XMAS: " counter;
        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 \
            log prefix "[nftables][dnet] Forward TCP null package: " counter;
        tcp flags syn \
            tcp option maxseg size 1-535 \
            log prefix "[nftables][dnet] Forward invalid TCP MSS: " counter;
        meta nfproto ipv4 @nh,48,8 & 0x80 == 0x80 \
            log prefix "[nftables] Forward evil bit: " counter;

        counter accept;
    }
    chain dnet_input {
        {% for ct in crazytrace %}
        ip6 saddr @own_nets6 ip6 saddr {{ ct.prefix }}/64 iifname "{{ ct.interface }}" accept;
        {% endfor %}
        ip6 saddr @own_nets6 \
            log prefix "[nftables][dnet] Hjacking of the own network: " counter drop;
        ip6 saddr != @dnet_ipv6 ip6 saddr != fe80::/10 \
            log prefix "[nftables][dnet] Invalid source address: " counter drop;

        ip6 saddr fe80::/64 udp dport 6696 accept;
    }
 
    chain drop_evil_ct {
        # CT INVALID
        ct state invalid counter drop;

        # If a TCP is New and has no Syn Flag:
        tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop;
    }

    chain drop_evil {
        meta nfproto ipv4 @nh,48,8 & 0x80 == 0x80 \
            log prefix "[nftables] Evil bit: " counter;

        tcp flags & (fin|psh|urg) == fin|psh|urg \
            log prefix "[nftables] XMAS: " counter drop;
        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 \
            log prefix "[nftables] TCP null package: " counter drop;
        tcp flags syn \
            tcp option maxseg size 1-535 \
            log prefix "[nftables] Invalid TCP MSS: " counter drop;

        {% if firewall.tailscale is defined and firewall.tailscale %}
        iifname != "tailscale0" ip saddr @tailscale4 drop;
        iifname != "tailscale0" ip6 saddr @tailscale6 drop;
        {% endif %}

        iifname != @dnet_interfaces iifname != "lo"{% if firewall.tailscale is defined and firewall.tailscale %} iifname != "tailscale0"{% endif %} ip6 saddr @dnet_ipv6 \
            log prefix "[nftables] Dnet packet on non-dnet interface: " counter drop;
    }

    chain input {
        type filter hook input priority 0;
        policy drop;

        jump drop_evil;
        jump drop_evil_ct;

        # Anti-lockout
        tcp dport 22 accept;

        # Filter dnet connections
        iifname @dnet_interfaces jump dnet_input;

        ct state { established, related } accept;

        icmp type . icmp code @icmp4 accept;
        icmpv6 type . icmpv6 code @icmp6 accept;

        {% if firewall.alfis is defined %}
        tcp dport 4244 accept;
        {% endif %}

        {% if firewall.http is defined %}
        tcp dport 80 accept;
        {% endif %}

        {% if firewall.https is defined %}
        tcp dport 443 accept;
        {% endif %}

        {% if firewall.tailscale is defined and firewall.tailscale %}
        udp dport 41641 counter accept;
        {% endif %}

        # WireGuard
        {% set wg_peers = [] %}
        {% for peer in peers %}{% if peer.type == "wg" %}
            {% set _ = wg_peers.append(peer.wg.port) %}
        {% endif %}{% endfor %}
        {% if wg_peers %}
        udp dport { {{ wg_peers | join(",") }} } accept;
        {% endif %}

        # fastd
        {% set fastd_peers = [] %}
        {% for peer in peers %}{% if peer.type == "fastd" %}
            {% set _ = fastd_peers.append(peer.fastd.port) %}
        {% endif %}{% endfor %}
        {% if fastd_peers %}
        udp dport { {{ fastd_peers | join(",") }} } accept;
        {% endif %}

        # OpenVPN
        {% set openvpn_peers = [] %}
        {% for peer in peers %}{% if peer.type == "openvpn" %}
            {% set _ = openvpn_peers.append(peer.openvpn.port) %}
        {% endif %}{% endfor %}
        {% if openvpn_peers %}
        udp dport { {{ openvpn_peers | join(",") }} } accept;
        {% endif %}


        {% if babelweb2.nginx.telnet_proxy is defined and babelweb2.nginx.telnet_proxy %}
        # babelweb2 proxy
        tcp dport 33321 accept;
        {% endif %}

        {% if yggdrasil.listen is defined %}
        {% for item in yggdrasil.listen %}
        tcp dport {{ item.port }} accept;
        {% endfor %}
        {% endif %}

        {% if yggdrasil.multicast_discovery is defined %}
        {% for item in yggdrasil.multicast_discovery %}
        udp dport 9001 ip6 daddr ff02::114 iifname {{ item.interface }} accept;
        {% endfor %}
        {% endif %}

        {% for peer in peers if peer.type == "gre" %}
        ip protocol gre ip{% if ":" in peer.gre.endpoint %}:{% endif %} saddr {{ peer.gre.endpoint }} accept;
        {% endfor %}

        {% if firewall.rules is defined %}{% for rule in firewall.rules %}
        {{ rule }};
        {% endfor %}{% endif %}

        # UDP traceroute
        udp dport 33424-33689 ip6 saddr @dnet_ipv6 counter reject;

        # Accept all link local connections
        iifname lo ip daddr 127.0.0.1/8 counter accept;
        iifname lo ip6 daddr ::1/128 counter accept;

        # Log attempts from peers
        ip6 saddr fe80::/10 \
            log prefix "[nftables] Violation from peer: " counter;
    }
    chain forward {
        type filter hook forward priority 0;
        policy drop;

        iifname @dnet_interfaces oifname @dnet_interfaces goto dnet_forward;
    }
    chain output {
        type filter hook output priority 0;
    }
}