diff options
1 files changed, 83 insertions, 70 deletions
diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index 63aabf94..c0165250 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -31,6 +31,8 @@ openwrt_packages_remove:
- odhcpd
- odhcpd-ipv6only
+ - nftables
+ - kmod-nft-nat
- sqm-scripts
- rng-tools
- htop
@@ -42,8 +44,6 @@ openwrt_packages_add:
- iperf3
- mtr
- usbutils
- - kmod-ipt-nat
- - kmod-ipt-conntrack
- openvpn-openssl
- iptraf-ng
- prometheus-node-exporter-lua
@@ -124,88 +124,101 @@ openwrt_mixin:
file: "{{ global_files_dir }}/common/htoprc"
- /etc/rc.d/S22network-fw:
- link: "../init.d/network-fw"
+ /etc/rc.d/S21nftables:
+ link: "../init.d/nftables"
- /etc/rc.d/K91network-fw:
- link: "../init.d/network-fw"
+ /etc/rc.d/K89nftables:
+ link: "../init.d/nftables"
- /etc/init.d/network-fw:
+ /etc/init.d/nftables:
mode: "0755"
content: |
#!/bin/sh /etc/rc.common
- START=22
- STOP=91
+ START=21
+ STOP=89
start() {
- MAGENTA_IF=$(uci get network.magenta.device)
- MAGENTA_IPADDR=$(uci get network.magenta.ipaddr)
- MAGENTA_NETMASK=$(uci get network.magenta.netmask)
- MGMT_IF=$(uci get network.mgmt.device)
- MGMT_IPADDR=$(uci get network.mgmt.ipaddr)
- MGMT_NETMASK=$(uci get network.mgmt.netmask)
- SVC_IF=$(uci get "network.svc.device")
- SVC_IPADDR=$(uci get "network.svc.ipaddr")
- SVC_NETMASK=$(uci get "network.svc.netmask")
- SSH_PORT=$(uci get dropbear.@dropbear[0].Port)
- ## Local/Management Traffic
- #
- iptables -A INPUT -i lo -d -s -j ACCEPT
- ## VPN Traffic
- iptables -A FORWARD -i extern0 -s -o "$SVC_IF" -j ACCEPT
- iptables -A FORWARD -i "$SVC_IF" -o extern0 -d -j ACCEPT
+ nft -f /etc/nftables.conf
+ }
+ stop() {
+ nft flush ruleset
+ }
- ## WAN Traffic
- #
- iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p icmp -j ACCEPT
- iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "$SSH_PORT" -j ACCEPT
- iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p udp --dport 1194 -j ACCEPT
- iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+ /etc/nftables.conf:
+ content: |
+ flush ruleset
+ define nic_magenta = eth1
+ define ip_magenta = {{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}
+ define nic_mgmt = eth2
+ define nic_internal = eth0
+ define nic_openvpn = extern0
+ define prefix_mgmt = {{ network_zones.mgmt.prefix }}
+ define prefix_openvpn =
+ define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} }
+ table inet global {
+ ## INPUT
+ chain input_mgmt {
+ ip saddr $prefix_mgmt accept
+ }
+ chain input_internal {
+ ip saddr != $prefixes_internal drop
+ ip protocol icmp accept
+ ip6 nexthdr ipv6-icmp accept
+ tcp dport { {{ ansible_port }} } accept
+ }
+ chain input_magenta {
+ ip daddr != $ip_magenta drop
+ ip protocol icmp accept
+ ip6 nexthdr ipv6-icmp accept
+ tcp dport { {{ ansible_port }} } accept
+ udp dport { openvpn } accept
+ }
+ chain input_openvpn {
+ ip saddr != $prefix_openvpn drop
+ ip protocol icmp accept
+ tcp dport { {{ ansible_port }} } accept
+ }
+ chain input {
+ type filter hook input priority filter; policy drop;
+ ct state vmap { established: accept, related: accept, invalid: drop }
+ iifname vmap { lo: accept, $nic_mgmt: jump input_mgmt, $nic_internal: jump input_internal, $nic_magenta: jump input_magenta, $nic_openvpn: jump input_openvpn }
+ }
+ chain forward {
+ type filter hook forward priority filter; policy drop;
+ ct state vmap { established: accept, related: accept, invalid: drop }
+ iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept
+ iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept
+ iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept
{% for name, svc in network_services.items() %}
- # {{ name }}
- {% for port in svc.ports %}
- iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "{{ port }}" -j DNAT --to "{{ svc.addr }}"
- iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ svc.addr }}" -p tcp --dport "{{ port }}" -j ACCEPT
- {% endfor %}
+ iif $nic_magenta oif $nic_internal ip daddr {{ svc.addr }} tcp dport { {{ svc.ports | join(', ') }} } accept comment "Service: {{ name }}"
{% endfor %}
+ }
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ {% for name, svc in network_services.items() %}
+ iif $nic_magenta ip daddr $ip_magenta tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "Service: {{ name }}"
+ {% endfor %}
+ }
- ## LAN Traffic
- #
- iptables -A INPUT -i "$SVC_IF" -d "$SVC_IPADDR" -s -p icmp -j ACCEPT
- iptables -A INPUT -i "$SVC_IF" -d "$SVC_IPADDR" -s -p tcp --dport "$SSH_PORT" -j ACCEPT
- iptables -A INPUT -i "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s -j ACCEPT
- iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -t nat -A POSTROUTING -o "$MAGENTA_IF" -s -j SNAT --to "$MAGENTA_IPADDR"
- ## Drop all other inbound traffic
- #
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- }
- stop() {
- iptables -P INPUT ACCEPT
- iptables -F INPUT
- iptables -P FORWARD ACCEPT
- iptables -F FORWARD
- iptables -t nat -F PREROUTING
- iptables -t nat -F POSTROUTING
+ chain postrouting {
+ type nat hook postrouting priority srcnat; policy accept;
+ ip saddr $prefixes_internal oif $nic_magenta snat to $ip_magenta
+ }