nftables.conf.j2 2.92 KB
Newer Older
Benjamin Graillot's avatar
Benjamin Graillot committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/usr/sbin/nft -f

flush ruleset

table ip nat {
{% for nat_subnet in nat %}
	set {{ nat_subnet }} {
		type ipv4_addr
		flags interval
		elements = { {% for private_subnet, public_address in nat[nat_subnet] %}{{ private_subnet }},{% endfor %} }
	}

	map {{ nat_subnet }}-pub {
		type ipv4_addr : ipv4_addr
		flags interval
		elements = { {% for private_subnet, public_address in nat[nat_subnet] %}{{ private_subnet }}:{{ public_address }},{% endfor %} }
	}
{% endfor %}
	chain prerouting {
		type nat hook prerouting priority 0; policy accept;
		log prefix "LOG_ALL "
	}

	chain postrouting {
		type nat hook postrouting priority 100; policy accept;
{% for nat_subnet in nat %}
27
28
29
		ip saddr @{{ nat_subnet }} ip protocol icmp oifname "{{ nat_interface }}" snat to ip saddr map @{{ nat_subnet }}-pub
		ip saddr @{{ nat_subnet }} ip protocol udp oifname "{{ nat_interface }}" snat to ip saddr map @{{ nat_subnet }}-pub
		ip saddr @{{ nat_subnet }} ip protocol tcp oifname "{{ nat_interface }}" snat to ip saddr map @{{ nat_subnet }}-pub
Benjamin Graillot's avatar
Benjamin Graillot committed
30
31
32
33
34
35
36
37
{% endfor %}
	}
}

table inet filter {
	chain input {
		type filter hook input priority 0; policy accept;
		iifname "lo" accept
Benjamin Graillot's avatar
Benjamin Graillot committed
38
39
		ip saddr 158.255.113.72 accept
		ip6 saddr 2001:1b48:2:103::bb:1 accept
Benjamin Graillot's avatar
Benjamin Graillot committed
40
41
42
43
		ct state established,related accept
		tcp dport ssh accept
		ip protocol icmp accept
		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, router-renumbering } accept
44
45
		ip saddr 185.230.78.0/24 accept
		ip saddr 185.230.79.0/26 accept
Benjamin Graillot's avatar
Benjamin Graillot committed
46
47
		ip saddr 172.16.0.0/16 accept
		ip saddr 100.64.0.0/16 accept
48
		ip daddr 224.0.0.18 accept
Benjamin Graillot's avatar
Benjamin Graillot committed
49
50
		ip6 saddr fd00::/4 accept
		ip6 saddr 2a0c:700::/32 accept
51
52
53
54
		ip saddr 185.230.78.47 tcp dport { 1812, 1813 } accept
		ip saddr 185.230.78.47 udp dport { 1812, 1813 } accept
		ip saddr 195.154.165.76 tcp dport { 1812, 1813 } accept
		ip saddr 195.154.165.76 udp dport { 1812, 1813 } accept
Benjamin Graillot's avatar
Benjamin Graillot committed
55
56
57
58
59
60
61
62
63
64
65
		reject
	}

	chain forward {
		type filter hook forward priority 0; policy accept;
		ct state new log prefix "LOG_ALL "
		ct state established,related accept
		ip protocol icmp accept
		ip protocol ipv6-icmp accept
		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, router-renumbering } accept
		ip6 saddr 2a0c:700::/32 accept
66
67
		ip saddr 185.230.78.0/24 accept
		ip saddr 100.64.0.0/16 accept
Benjamin Graillot's avatar
Benjamin Graillot committed
68
69
70

		# Ouvetures de ports des serveurs du CRANS
{% for rule in ports_openings %}		{{ rule }}
71
72
73
{% endfor %}
		# Ouvetures de ports des machines des adhérents
{% for rule in ports_openings_adh %}		{{ rule }}
Benjamin Graillot's avatar
Benjamin Graillot committed
74
75
76
77
78
79
80
81
{% endfor %}
		reject
	}

	chain output {
		type filter hook output priority 0; policy accept
	}
}