From e011a72744b2b2a40ba58fd6447c5d63d1203298 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 9 Oct 2022 01:54:45 +0200
Subject: ch-router: switch to nftables

---
 inventory/host_vars/ch-router.yml | 153 +++++++++++++++++++++-----------------
 1 file changed, 83 insertions(+), 70 deletions(-)

(limited to 'inventory/host_vars/ch-router.yml')

diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index 63aabf94..c0165250 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -31,6 +31,8 @@ openwrt_packages_remove:
   - odhcpd
   - odhcpd-ipv6only
 openwrt_packages_add:
+  - nftables
+  - kmod-nft-nat
   - sqm-scripts
   - rng-tools
   - htop
@@ -42,8 +44,6 @@ openwrt_packages_add:
   - iperf3
   - mtr
   - usbutils
-  - kmod-ipt-nat
-  - kmod-ipt-conntrack
   - openvpn-openssl
   - iptraf-ng
   - prometheus-node-exporter-lua
@@ -124,88 +124,101 @@ openwrt_mixin:
   /etc/htoprc:
     file: "{{ global_files_dir }}/common/htoprc"
 
-  /etc/rc.d/S22network-fw:
-    link: "../init.d/network-fw"
+  /etc/rc.d/S21nftables:
+    link: "../init.d/nftables"
 
-  /etc/rc.d/K91network-fw:
-    link: "../init.d/network-fw"
+  /etc/rc.d/K89nftables:
+    link: "../init.d/nftables"
 
-  /etc/init.d/network-fw:
+  /etc/init.d/nftables:
     mode: "0755"
     content: |
       #!/bin/sh /etc/rc.common
 
-      START=22
-      STOP=91
+      START=21
+      STOP=89
 
       start() {
-        MAGENTA_IF=$(uci get network.magenta.device)
-        MAGENTA_IPADDR=$(uci get network.magenta.ipaddr)
-        MAGENTA_NETMASK=$(uci get network.magenta.netmask)
-
-        MGMT_IF=$(uci get network.mgmt.device)
-        MGMT_IPADDR=$(uci get network.mgmt.ipaddr)
-        MGMT_NETMASK=$(uci get network.mgmt.netmask)
-
-        SVC_IF=$(uci get "network.svc.device")
-        SVC_IPADDR=$(uci get "network.svc.ipaddr")
-        SVC_NETMASK=$(uci get "network.svc.netmask")
-
-        SSH_PORT=$(uci get dropbear.@dropbear[0].Port)
-
-
-        ## Local/Management Traffic
-        #
-        iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
-        iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
-
-
-        ## VPN Traffic
-        iptables -A FORWARD -i extern0 -s 192.168.8.0/24 -o "$SVC_IF" -j ACCEPT
-        iptables -A FORWARD -i "$SVC_IF" -o extern0 -d 192.168.8.0/24 -j ACCEPT
+        nft -f /etc/nftables.conf
+      }
 
+      stop() {
+        nft flush ruleset
+      }
 
-        ## WAN Traffic
-        #
-        iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p icmp -j ACCEPT
-        iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "$SSH_PORT" -j ACCEPT
-        iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p udp --dport 1194 -j ACCEPT
-        iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+  /etc/nftables.conf:
+    content: |
+      flush ruleset
+
+      define nic_magenta = eth1
+      define ip_magenta = {{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}
+
+      define nic_mgmt = eth2
+      define nic_internal = eth0
+      define nic_openvpn = extern0
+
+      define prefix_mgmt = {{ network_zones.mgmt.prefix }}
+      define prefix_openvpn = 192.168.8.0/24
+      define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} }
+
+
+      table inet global {
+        ## INPUT
+        chain input_mgmt {
+          ip saddr $prefix_mgmt accept
+        }
+
+        chain input_internal {
+          ip saddr != $prefixes_internal drop
+          ip protocol icmp accept
+          ip6 nexthdr ipv6-icmp accept
+          tcp dport { {{ ansible_port }} } accept
+        }
+
+        chain input_magenta {
+          ip daddr != $ip_magenta drop
+          ip protocol icmp accept
+          ip6 nexthdr ipv6-icmp accept
+          tcp dport { {{ ansible_port }} } accept
+          udp dport { openvpn } accept
+        }
+
+        chain input_openvpn {
+          ip saddr != $prefix_openvpn drop
+          ip protocol icmp accept
+          tcp dport { {{ ansible_port }} } accept
+        }
+
+        chain input {
+          type filter hook input priority filter; policy drop;
+          ct state vmap { established: accept, related: accept, invalid: drop }
+          iifname vmap { lo: accept, $nic_mgmt: jump input_mgmt, $nic_internal: jump input_internal, $nic_magenta: jump input_magenta, $nic_openvpn: jump input_openvpn }
+        }
+
+
+        ## FORWARD
+        chain forward {
+          type filter hook forward priority filter; policy drop;
+          ct state vmap { established: accept, related: accept, invalid: drop }
+          iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept
+          iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept
+          iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept
       {% for name, svc in network_services.items() %}
-
-        # {{ name }}
-      {%   for port in svc.ports %}
-        iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "{{ port }}" -j DNAT --to "{{ svc.addr }}"
-        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ svc.addr }}" -p tcp --dport "{{ port }}" -j ACCEPT
-      {%   endfor %}
+          iif $nic_magenta oif $nic_internal ip daddr {{ svc.addr }} tcp dport { {{ svc.ports | join(', ') }} } accept comment "Service: {{ name }}"
       {% endfor %}
+        }
 
+        chain prerouting {
+          type nat hook prerouting priority dstnat; policy accept;
+      {% for name, svc in network_services.items() %}
+          iif $nic_magenta ip daddr $ip_magenta tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "Service: {{ name }}"
+      {% endfor %}
+        }
 
-        ## LAN Traffic
-        #
-        iptables -A INPUT -i "$SVC_IF" -d "$SVC_IPADDR" -s 192.168.0.0/16 -p icmp -j ACCEPT
-        iptables -A INPUT -i "$SVC_IF" -d "$SVC_IPADDR" -s 192.168.0.0/16 -p tcp --dport "$SSH_PORT" -j ACCEPT
-        iptables -A INPUT -i "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-        iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s 192.168.0.0/16 -j ACCEPT
-        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-        iptables -t nat -A POSTROUTING -o "$MAGENTA_IF" -s 192.168.0.0/16 -j SNAT --to "$MAGENTA_IPADDR"
-
-
-        ## Drop all other inbound traffic
-        #
-        iptables -P INPUT DROP
-        iptables -P FORWARD DROP
-      }
-
-      stop() {
-        iptables -P INPUT ACCEPT
-        iptables -F INPUT
-        iptables -P FORWARD ACCEPT
-        iptables -F FORWARD
-        iptables -t nat -F PREROUTING
-        iptables -t nat -F POSTROUTING
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          ip saddr $prefixes_internal oif $nic_magenta snat to $ip_magenta
+        }
       }
 
 
-- 
cgit v1.2.3