diff --git a/nftables-attestation.conf b/nftables-attestation.conf new file mode 100644 index 0000000..545fc08 --- /dev/null +++ b/nftables-attestation.conf @@ -0,0 +1,52 @@ +#!/usr/bin/nft -f + +flush ruleset + +table inet filter { + chain prerouting-raw { + type filter hook prerouting priority raw + + iif lo notrack + tcp dport {ssh, http, https} notrack + ip protocol icmp notrack + meta l4proto ipv6-icmp notrack + } + + chain output-raw { + type filter hook output priority raw + + oif lo notrack + tcp sport {ssh, http, https} notrack + ip protocol icmp notrack + meta l4proto ipv6-icmp notrack + } + + chain input { + type filter hook input priority filter + policy drop + + iif lo accept + tcp dport {ssh, http, https} accept + ip protocol icmp accept + meta l4proto ipv6-icmp accept + + ct state vmap { invalid : drop, established : accept, related : accept } + + meta l4proto udp reject + meta l4proto tcp reject with tcp reset + reject + } + + chain forward { + type filter hook forward priority filter + policy drop + } + + chain output { + type filter hook output priority filter + + oif lo accept + + skuid != {root, systemd-network, chrony, unbound, http, attestation} counter reject + } +} diff --git a/nftables-discuss.conf b/nftables-discuss.conf new file mode 100644 index 0000000..6d13ca2 --- /dev/null +++ b/nftables-discuss.conf @@ -0,0 +1,52 @@ +#!/usr/bin/nft -f + +flush ruleset + +table inet filter { + chain prerouting-raw { + type filter hook prerouting priority raw + + iif lo notrack + tcp dport {ssh, http, https} notrack + ip protocol icmp notrack + meta l4proto ipv6-icmp notrack + } + + chain output-raw { + type filter hook output priority raw + + oif lo notrack + tcp sport {ssh, http, https} notrack + ip protocol icmp notrack + meta l4proto ipv6-icmp notrack + } + + chain input { + type filter hook input priority filter + policy drop + + iif lo accept + tcp dport {ssh, http, https} accept + ip protocol icmp accept + meta l4proto ipv6-icmp accept + + ct state vmap { invalid : drop, established : accept, related : accept } + + meta l4proto udp reject + meta l4proto tcp reject with tcp reset + reject + } + + chain forward { + type filter hook forward priority filter + policy drop + } + + chain output { + type filter hook output priority filter + + oif lo accept + + skuid != {root, systemd-network, chrony, unbound, http, flarum} counter reject + } +} diff --git a/nftables-dns.conf b/nftables-dns.conf new file mode 100644 index 0000000..59d7c51 --- /dev/null +++ b/nftables-dns.conf @@ -0,0 +1,55 @@ +#!/usr/bin/nft -f + +flush ruleset + +table inet filter { + chain prerouting-raw { + type filter hook prerouting priority raw + + iif lo notrack + udp dport domain notrack + tcp dport {ssh, domain} notrack + ip protocol icmp notrack + meta l4proto ipv6-icmp notrack + } + + chain output-raw { + type filter hook output priority raw + + oif lo notrack + udp sport domain notrack + tcp sport {ssh, domain} notrack + ip protocol icmp notrack + meta l4proto ipv6-icmp notrack + } + + chain input { + type filter hook input priority filter + policy drop + + iif lo accept + udp dport domain accept + tcp dport {ssh, domain} accept + ip protocol icmp accept + meta l4proto ipv6-icmp accept + + ct state vmap { invalid : drop, established : accept, related : accept } + + meta l4proto udp reject + meta l4proto tcp reject with tcp reset + reject + } + + chain forward { + type filter hook forward priority filter + policy drop + } + + chain output { + type filter hook output priority filter + + oif lo accept + + skuid != {root, systemd-network, chrony, unbound, powerdns} counter reject + } +} diff --git a/nftables-mail.conf b/nftables-mail.conf new file mode 100644 index 0000000..4e62d28 --- /dev/null +++ b/nftables-mail.conf @@ -0,0 +1,52 @@ +#!/usr/bin/nft -f + +flush ruleset + +table inet filter { + chain prerouting-raw { + type filter hook prerouting priority raw + + iif lo notrack + tcp dport {ssh, smtp, http, submissions, imaps} notrack + ip protocol icmp notrack + meta l4proto ipv6-icmp notrack + } + + chain output-raw { + type filter hook output priority raw + + oif lo notrack + tcp sport {ssh, smtp, http, submissions, imaps} notrack + ip protocol icmp notrack + meta l4proto ipv6-icmp notrack + } + + chain input { + type filter hook input priority filter + policy drop + + iif lo accept + tcp dport {ssh, smtp, http, submissions, imaps} accept + ip protocol icmp accept + meta l4proto ipv6-icmp accept + + ct state vmap { invalid : drop, established : accept, related : accept } + + meta l4proto udp reject + meta l4proto tcp reject with tcp reset + reject + } + + chain forward { + type filter hook forward priority filter + policy drop + } + + chain output { + type filter hook output priority filter + + oif lo accept + + skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter reject + } +} diff --git a/nftables-matrix.conf b/nftables-matrix.conf new file mode 100644 index 0000000..b727470 --- /dev/null +++ b/nftables-matrix.conf @@ -0,0 +1,52 @@ +#!/usr/bin/nft -f + +flush ruleset + +table inet filter { + chain prerouting-raw { + type filter hook prerouting priority raw + + iif lo notrack + tcp dport {ssh, http, https} notrack + ip protocol icmp notrack + meta l4proto ipv6-icmp notrack + } + + chain output-raw { + type filter hook output priority raw + + oif lo notrack + tcp sport {ssh, http, https} notrack + ip protocol icmp notrack + meta l4proto ipv6-icmp notrack + } + + chain input { + type filter hook input priority filter + policy drop + + iif lo accept + tcp dport {ssh, http, https} accept + ip protocol icmp accept + meta l4proto ipv6-icmp accept + + ct state vmap { invalid : drop, established : accept, related : accept } + + meta l4proto udp reject + meta l4proto tcp reject with tcp reset + reject + } + + chain forward { + type filter hook forward priority filter + policy drop + } + + chain output { + type filter hook output priority filter + + oif lo accept + + skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter reject + } +} diff --git a/nftables-web.conf b/nftables-web.conf new file mode 100644 index 0000000..ec7515b --- /dev/null +++ b/nftables-web.conf @@ -0,0 +1,52 @@ +#!/usr/bin/nft -f + +flush ruleset + +table inet filter { + chain prerouting-raw { + type filter hook prerouting priority raw + + iif lo notrack + tcp dport {ssh, http, https} notrack + ip protocol icmp notrack + meta l4proto ipv6-icmp notrack + } + + chain output-raw { + type filter hook output priority raw + + oif lo notrack + tcp sport {ssh, http, https} notrack + ip protocol icmp notrack + meta l4proto ipv6-icmp notrack + } + + chain input { + type filter hook input priority filter + policy drop + + iif lo accept + tcp dport {ssh, http, https} accept + ip protocol icmp accept + meta l4proto ipv6-icmp accept + + ct state vmap { invalid : drop, established : accept, related : accept } + + meta l4proto udp reject + meta l4proto tcp reject with tcp reset + reject + } + + chain forward { + type filter hook forward priority filter + policy drop + } + + chain output { + type filter hook output priority filter + + oif lo accept + + skuid != {root, systemd-network, chrony, unbound, http} counter reject + } +}