From 37ad9e62a2589d6cccf0dc92ff8d16617915c5bd Mon Sep 17 00:00:00 2001 From: Nulo Date: Thu, 17 Nov 2022 22:50:56 -0300 Subject: [PATCH] nftables --- modules/nftables.lua | 95 ++++++++++++++++++++++++++++++++++++++++++++ setup.lua | 1 + 2 files changed, 96 insertions(+) create mode 100644 modules/nftables.lua diff --git a/modules/nftables.lua b/modules/nftables.lua new file mode 100644 index 0000000..8f8508a --- /dev/null +++ b/modules/nftables.lua @@ -0,0 +1,95 @@ +modules.nftables = {} +add_packages({ "nftables" }) +add_file("/etc/nftables.nft", [[ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + + iifname lo accept \ + comment "Accept any localhost traffic" + + ct state { established, related } accept \ + comment "Accept traffic originated from us" + + ct state invalid drop \ + comment "Drop invalid connections" + + tcp dport 113 reject with icmpx type port-unreachable \ + comment "Reject AUTH to make it fail fast" + + ip protocol icmp icmp type { + echo-reply, # type 0 + destination-unreachable, # type 3 + echo-request, # type 8 + time-exceeded, # type 11 + parameter-problem, # type 12 + } accept \ + comment "Accept ICMP" + + ip6 nexthdr icmpv6 icmpv6 type { + destination-unreachable, # type 1 + packet-too-big, # type 2 + time-exceeded, # type 3 + parameter-problem, # type 4 + echo-request, # type 128 + echo-reply, # type 129 + } accept \ + comment "Accept basic IPv6 functionality" + + ip6 nexthdr icmpv6 icmpv6 type { + nd-router-solicit, # type 133 + nd-router-advert, # type 134 + nd-neighbor-solicit, # type 135 + nd-neighbor-advert, # type 136 + } ip6 hoplimit 255 accept \ + comment "Allow IPv6 SLAAC" + + ip6 nexthdr icmpv6 icmpv6 type { + mld-listener-query, # type 130 + mld-listener-report, # type 131 + mld-listener-reduction, # type 132 + mld2-listener-report, # type 143 + } ip6 saddr fe80::/10 accept \ + comment "Allow IPv6 multicast listener discovery on link-local" + + ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \ + comment "Accept DHCPv6 replies from IPv6 link-local addresses" + + tcp dport 80 counter accept \ + comment "Allow HTTP" + } + + chain forward { + type filter hook forward priority 0; policy drop; + } + + chain output { + type filter hook output priority 0; policy accept; + } +} + +# The state of stateful objects saved on the nftables service stop. +include "/var/lib/nftables/*.nft" + +]]) + +modules.runit.add_service("nftables", [[#!/bin/sh +if [ ! -r /etc/nftables.nft ]; then + echo "No config, dropping everything" + nft -f /dev/stdin <<-EOF + flush ruleset + table inet filter { + chain input { type filter hook input priority 0; policy drop; } + chain forward { type filter hook forward priority 0; policy drop; } + chain output { type filter hook output priority 0; policy drop; } + } + EOF + exit 1 +fi +nft -f /etc/nftables.nft +exec sleep infinity +]]) diff --git a/setup.lua b/setup.lua index 14928e7..3008658 100644 --- a/setup.lua +++ b/setup.lua @@ -49,6 +49,7 @@ module "hostname" module "dhcpcd" module "ntpsec" module "nginx" +module "nftables" print("=> Installing and upgrading packages...") utils.expect_nil(alpine.make_world(root, packages))