From 88692df3817728441dd7e093b78d4e7fafd30e3b Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sun, 25 Dec 2022 18:53:04 -0500
Subject: [PATCH] dd nftables rules for grapheneos.social

---
 nftables-social.conf | 71 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 nftables-social.conf

diff --git a/nftables-social.conf b/nftables-social.conf
new file mode 100644
index 0000000..b9cb03c
--- /dev/null
+++ b/nftables-social.conf
@@ -0,0 +1,71 @@
+#!/usr/bin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain prerouting-raw {
+        type filter hook prerouting priority raw
+
+        iif lo notrack accept
+        tcp dport {22, 80, 443} notrack accept
+        meta l4proto {icmp, ipv6-icmp} notrack accept
+    }
+
+    chain output-raw {
+        type filter hook output priority raw
+
+        oif lo notrack accept
+        tcp sport {22, 80, 443} notrack accept
+        meta l4proto {icmp, ipv6-icmp} notrack accept
+    }
+
+    chain input {
+        type filter hook input priority filter
+        policy drop
+
+        iif lo accept
+        tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept
+        tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
+        meta l4proto {icmp, ipv6-icmp} accept
+
+        ct state vmap { invalid : drop, established : accept, related : accept }
+
+        meta l4proto udp reject
+        meta l4proto tcp reject with tcp reset
+        reject
+    }
+
+    chain forward {
+        type filter hook forward priority filter
+        policy drop
+    }
+
+    chain output {
+        type filter hook output priority filter
+
+        oif lo goto output-internal
+        skuid != {root, systemd-network, unbound, chrony, http, mastodon} counter goto output-reject
+    }
+
+    chain output-internal {
+        skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 th dport != {3000, 4000, 6379} accept
+        skuid {chrony, mastodon} meta l4proto {tcp, udp} th sport >= 1024 th sport != {3000, 4000, 6379} th dport 53 accept
+
+        skuid postgres udp sport >= 1024 udp sport != {3000, 4000, 6379} udp dport >= 1024 udp dport != {3000, 4000, 6379} accept
+
+        skuid mastodon tcp sport {3000, 4000, 6379} tcp dport >= 1024 tcp dport != {3000, 4000, 6379} accept
+        skuid http tcp sport >= 1024 tcp sport != {3000, 4000, 6379} tcp dport {3000, 4000, 6379} accept
+
+        skuid redis tcp sport 6379 tcp dport >= 1024 tcp dport != {3000, 4000, 6379} accept
+        skuid mastodon tcp sport >= 1024 tcp sport != {3000, 4000, 6379} tcp dport 6379 accept
+
+        skuid != root counter goto output-reject
+        accept
+    }
+
+    chain output-reject {
+        meta l4proto udp reject
+        meta l4proto tcp reject with tcp reset
+        reject
+    }
+}