2023-11-13 09:33:28 -05:00
|
|
|
#!/usr/bin/nft -f
|
|
|
|
# vim: ft=nftables
|
|
|
|
|
2023-11-13 13:18:06 -05:00
|
|
|
# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
|
2023-11-13 09:33:28 -05:00
|
|
|
# SPDX-FileCopyrightText: 2023 1cho1ce <https://github.com/1cho1ce>
|
|
|
|
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
|
|
|
#
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
|
|
|
|
## TODO: source this ruleset
|
|
|
|
|
|
|
|
## Stop leaks
|
|
|
|
chain ip qubes forward '{ policy drop; }'
|
|
|
|
chain ip qubes input '{ policy drop; }'
|
|
|
|
chain ip qubes output '{ policy drop; }'
|
|
|
|
chain ip6 qubes forward '{ policy drop; }'
|
|
|
|
chain ip6 qubes input '{ policy drop; }'
|
|
|
|
chain ip6 qubes output '{ policy drop; }'
|
|
|
|
insert rule ip qubes custom-forward oifgroup 1 drop
|
|
|
|
insert rule ip qubes custom-forward iifgroup 1 drop
|
|
|
|
insert rule ip6 qubes custom-forward oifgroup 1 drop
|
|
|
|
insert rule ip6 qubes custom-forward iifgroup 1 drop
|
|
|
|
|
|
|
|
## Accept forward traffic between dowstream vif+ (group 2) and VPN (group9)
|
|
|
|
insert rule ip qubes custom-forward iifgroup 2 oifgroup 9 accept
|
|
|
|
insert rule ip qubes custom-forward iifgroup 9 oifgroup 2 accept
|
|
|
|
insert rule ip6 qubes custom-forward iifgroup 2 oifgroup 9 accept
|
|
|
|
insert rule ip6 qubes custom-forward iifgroup 9 oifgroup 2 accept
|
|
|
|
|
|
|
|
## Drop ICMP
|
|
|
|
insert rule ip qubes custom-input meta l4proto icmp drop
|
|
|
|
insert rule ip qubes output oifgroup 1 meta l4proto icmp drop
|
|
|
|
insert rule ip6 qubes custom-input meta l4proto icmp drop
|
|
|
|
insert rule ip6 qubes output oifgroup 1 meta l4proto icmp drop
|
|
|
|
|
|
|
|
## Allow traffic from the `qvpn` group to the uplink interface (eth0);
|
|
|
|
## Our VPN client will run with group `qvpn`.
|
|
|
|
insert rule ip qubes output oifname "lo" accept
|
|
|
|
insert rule ip qubes output oifgroup 1 skgid qvpn accept
|
|
|
|
insert rule ip6 qubes output oifname "lo" accept
|
|
|
|
insert rule ip6 qubes output oifgroup 1 skgid "qvpn" accept
|