Nftables Mailserver: Unterschied zwischen den Versionen

Aus Tutorials
Zur Navigation springen Zur Suche springen
Zeile 2: Zeile 2:




== Stand 10.04.2020 ==
== Stand 17.04.2020 ==


<pre>
<pre>
Zeile 8: Zeile 8:


flush ruleset
flush ruleset
include "/etc/nftables/fail2ban.conf"


table inet filter {
table inet filter {
Zeile 27: Zeile 29:


     # icmp (ping)
     # icmp (ping)
     icmp type echo-request accept;
     iifname "wlan0" icmp type echo-request accept;
    iifname "tun0" icmp type echo-request accept;
    iifname "eth0" ip daddr { 212.186.198.11 } icmp type echo-request accept;


     # open sshd (22) for internal networks only
     # open sshd (22) for internal networks only
     tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
     tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
    #tcp dport { ssh } accept comment "accept SSH from all networks"


     # open tcp ports: http (80), https (443)
     # open tcp ports: http (80), https (443)
Zeile 47: Zeile 50:


     counter comment "count dropped packets"
     counter comment "count dropped packets"
    #log
   }
   }


Zeile 52: Zeile 56:
   chain forward {
   chain forward {
     type filter hook forward priority 0; policy drop;
     type filter hook forward priority 0; policy drop;
     counter comment "count dropped packets"
 
     ip saddr @internal_networks_ip4 accept;
    iifname "wlan0" oifname "tun0" ct state related,established accept;
    iifname "eth0" oifname "tun0" ct state related,established accept;
   }
   }


   chain output {
   chain output {
     type filter hook output priority 0; policy accept;
     type filter hook output priority 0; policy accept;
  }
}
# NAT
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;
  }
  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname "wlan0" ip saddr 10.8.4.0/24 masquerade;
    oifname "eth0" ip saddr 10.8.4.0/24 masquerade;
   }
   }
}
}

Version vom 17. April 2020, 18:10 Uhr

Noch in Bearbeitung


Stand 17.04.2020

#!/usr/sbin/nft -f

flush ruleset

include "/etc/nftables/fail2ban.conf"

table inet filter {
  set internal_networks_ip4 {
    type ipv4_addr
    flags interval
    auto-merge
    elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.4.0/24 }
  }

  chain input {
    type filter hook input priority 0; policy drop;

    # established/related connections
    ct state established,related accept;

    # loopback interface
    iifname lo accept;

    # icmp (ping)
    iifname "wlan0" icmp type echo-request accept;
    iifname "tun0" icmp type echo-request accept;
    iifname "eth0" ip daddr { 212.186.198.11 } icmp type echo-request accept;

    # open sshd (22) for internal networks only
    tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"

    # open tcp ports: http (80), https (443)
    tcp dport { http, https } accept;

    # open udp ports: domain (53), openvpn (1194)
    udp dport { domain, openvpn } accept;

    # mail ports: pop3 (143), imap (110), submission (SMTP/587), smtp (25), doveadm (47111)
    tcp dport { pop3, imap2, submission, smtp, 47111 } accept;
    udp dport { imap2 } accept;

    # mysql (3306)
    meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";

    counter comment "count dropped packets"
    #log
  }


  chain forward {
    type filter hook forward priority 0; policy drop;

    ip saddr @internal_networks_ip4 accept;
    iifname "wlan0" oifname "tun0" ct state related,established accept;
    iifname "eth0" oifname "tun0" ct state related,established accept;
  }

  chain output {
    type filter hook output priority 0; policy accept;
  }
}

# NAT
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;
  }

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname "wlan0" ip saddr 10.8.4.0/24 masquerade;
    oifname "eth0" ip saddr 10.8.4.0/24 masquerade;
  }
}


Zurück zu nftables