Add IPv6 compatibility
This commit is contained in:
Tristan PILAT
parent
ab2a7e9eb0
commit
ba865faf0a
|
|
@ -109,20 +109,34 @@ $NFT add chain inet minifirewall minifirewall_output '{ type filter hook output
|
||||||
|
|
||||||
# Add set with trusted IP addresses
|
# Add set with trusted IP addresses
|
||||||
$NFT add set inet minifirewall minifirewall_trusted_v4_ips '{ type ipv4_addr ; flags interval ;}'
|
$NFT add set inet minifirewall minifirewall_trusted_v4_ips '{ type ipv4_addr ; flags interval ;}'
|
||||||
|
$NFT add set inet minifirewall minifirewall_trusted_v6_ips '{ type ipv6_addr ; flags interval ;}'
|
||||||
|
|
||||||
ip_type "$TRUSTEDIPS"
|
ip_type "$TRUSTEDIPS"
|
||||||
|
|
||||||
if [ -n "$v4_ips" ] ; then
|
if [ -n "$v4_ips" ] ; then
|
||||||
$NFT add element inet minifirewall minifirewall_trusted_v4_ips {$v4_ips}
|
$NFT add element inet minifirewall minifirewall_trusted_v4_ips {$v4_ips}
|
||||||
fi
|
fi
|
||||||
|
if [ -n "$v6_ips" ] ; then
|
||||||
|
$NFT add element inet minifirewall minifirewall_trusted_v6_ips {$v6_ips}
|
||||||
|
fi
|
||||||
|
|
||||||
# Add set with privileged IP addresses
|
# Add set with privileged IP addresses
|
||||||
$NFT add set inet minifirewall minifirewall_privileged_v4_ips '{ type ipv4_addr ; flags interval ;}'
|
$NFT add set inet minifirewall minifirewall_privileged_v4_ips '{ type ipv4_addr ; flags interval ;}'
|
||||||
|
$NFT add set inet minifirewall minifirewall_privileged_v6_ips '{ type ipv6_addr ; flags interval ;}'
|
||||||
|
|
||||||
ip_type "$PRIVILEGIEDIPS"
|
ip_type "$PRIVILEGIEDIPS"
|
||||||
|
|
||||||
if [ -n "$v4_ips" ] ; then
|
if [ -n "$v4_ips" ] ; then
|
||||||
$NFT add element inet minifirewall minifirewall_privileged_v4_ips {$v4_ips}
|
$NFT add element inet minifirewall minifirewall_privileged_v4_ips {$v4_ips}
|
||||||
fi
|
fi
|
||||||
|
if [ -n "$v6_ips" ] ; then
|
||||||
|
$NFT add element inet minifirewall minifirewall_privileged_v6_ips {$v6_ips}
|
||||||
|
fi
|
||||||
|
|
||||||
# Add set for blocked IP addresses
|
# Add set for blocked IP addresses
|
||||||
$NFT add set inet minifirewall minifirewall_blocked_v4_ips '{ type ipv4_addr ; flags interval ;}'
|
$NFT add set inet minifirewall minifirewall_blocked_v4_ips '{ type ipv4_addr ; flags interval ;}'
|
||||||
|
$NFT add set inet minifirewall minifirewall_blocked_v6_ips '{ type ipv6_addr ; flags interval ;}'
|
||||||
|
|
||||||
# Add TCP/UDP chains for protected, public, semi-public and private ports
|
# Add TCP/UDP chains for protected, public, semi-public and private ports
|
||||||
$NFT add chain inet minifirewall protected_tcp_ports
|
$NFT add chain inet minifirewall protected_tcp_ports
|
||||||
$NFT add chain inet minifirewall protected_udp_ports
|
$NFT add chain inet minifirewall protected_udp_ports
|
||||||
|
|
@ -136,6 +150,7 @@ $NFT add chain inet minifirewall private_udp_ports
|
||||||
################
|
################
|
||||||
## Input traffic
|
## Input traffic
|
||||||
################
|
################
|
||||||
|
|
||||||
# Related and established traffic is accepted
|
# Related and established traffic is accepted
|
||||||
$NFT add rule inet minifirewall minifirewall_input ct state related,established accept
|
$NFT add rule inet minifirewall minifirewall_input ct state related,established accept
|
||||||
|
|
||||||
|
|
@ -154,22 +169,31 @@ $NFT add rule inet minifirewall minifirewall_input ip protocol igmp accept
|
||||||
|
|
||||||
# New UDP traffic from blocked IPs jumps to the private_udp_ports chain
|
# New UDP traffic from blocked IPs jumps to the private_udp_ports chain
|
||||||
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_blocked_v4_ips meta l4proto udp ct state new jump protected_udp_ports'
|
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_blocked_v4_ips meta l4proto udp ct state new jump protected_udp_ports'
|
||||||
|
$NFT add rule inet minifirewall minifirewall_input 'ip6 saddr @minifirewall_blocked_v6_ips meta l4proto udp ct state new jump protected_udp_ports'
|
||||||
|
|
||||||
# New TCP traffic from blocked IPs jumps to the private_tcp_ports chain
|
# New TCP traffic from blocked IPs jumps to the private_tcp_ports chain
|
||||||
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_blocked_v4_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump protected_tcp_ports'
|
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_blocked_v4_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump protected_tcp_ports'
|
||||||
|
$NFT add rule inet minifirewall minifirewall_input 'ip6 saddr @minifirewall_blocked_v6_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump protected_tcp_ports'
|
||||||
|
|
||||||
# New UDP traffic from trusted IPs jumps to the private_udp_ports chain
|
# New UDP traffic from trusted IPs jumps to the private_udp_ports chain
|
||||||
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_trusted_v4_ips meta l4proto udp ct state new jump private_udp_ports'
|
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_trusted_v4_ips meta l4proto udp ct state new jump private_udp_ports'
|
||||||
|
$NFT add rule inet minifirewall minifirewall_input 'ip6 saddr @minifirewall_trusted_v6_ips meta l4proto udp ct state new jump private_udp_ports'
|
||||||
|
|
||||||
# New TCP traffic from trusted IPs jumps to the private_tcp_ports chain
|
# New TCP traffic from trusted IPs jumps to the private_tcp_ports chain
|
||||||
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_trusted_v4_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump private_tcp_ports'
|
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_trusted_v4_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump private_tcp_ports'
|
||||||
|
$NFT add rule inet minifirewall minifirewall_input 'ip6 saddr @minifirewall_trusted_v6_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump private_tcp_ports'
|
||||||
|
|
||||||
# New UDP traffic from trusted IPs and privileged IPs jumps to the semipublic_udp_ports chain
|
# New UDP traffic from trusted IPs and privileged IPs jumps to the semipublic_udp_ports chain
|
||||||
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_privileged_v4_ips meta l4proto udp ct state new jump semipublic_udp_ports'
|
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_privileged_v4_ips meta l4proto udp ct state new jump semipublic_udp_ports'
|
||||||
|
$NFT add rule inet minifirewall minifirewall_input 'ip6 saddr @minifirewall_privileged_v6_ips meta l4proto udp ct state new jump semipublic_udp_ports'
|
||||||
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_trusted_v4_ips meta l4proto udp ct state new jump semipublic_udp_ports'
|
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_trusted_v4_ips meta l4proto udp ct state new jump semipublic_udp_ports'
|
||||||
|
$NFT add rule inet minifirewall minifirewall_input 'ip6 saddr @minifirewall_trusted_v6_ips meta l4proto udp ct state new jump semipublic_udp_ports'
|
||||||
|
|
||||||
# New TCP traffic from trusted IPs and privileged IPs jumps to the semipublic_tcp_ports chain
|
# New TCP traffic from trusted IPs and privileged IPs jumps to the semipublic_tcp_ports chain
|
||||||
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_privileged_v4_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump semipublic_tcp_ports'
|
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_privileged_v4_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump semipublic_tcp_ports'
|
||||||
|
$NFT add rule inet minifirewall minifirewall_input 'ip6 saddr @minifirewall_privileged_v6_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump semipublic_tcp_ports'
|
||||||
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_trusted_v4_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump semipublic_tcp_ports'
|
$NFT add rule inet minifirewall minifirewall_input 'ip saddr @minifirewall_trusted_v4_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump semipublic_tcp_ports'
|
||||||
|
$NFT add rule inet minifirewall minifirewall_input 'ip6 saddr @minifirewall_trusted_v6_ips meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump semipublic_tcp_ports'
|
||||||
|
|
||||||
# New UDP traffic from any other IP jumps to the public_udp_ports chain
|
# New UDP traffic from any other IP jumps to the public_udp_ports chain
|
||||||
$NFT add rule inet minifirewall minifirewall_input 'meta l4proto udp ct state new jump public_udp_ports'
|
$NFT add rule inet minifirewall minifirewall_input 'meta l4proto udp ct state new jump public_udp_ports'
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue