1 #!/sbin/nft -f
# ,
2 define icmp_types = { destination-unreachable, time-exceeded, parameter-problem, echo-request, echo-reply }
3 define host = 192.168.120.1
4 define br = br0
5 define my_br_mac = XX:XX:XX:XX:XX:XX
6 define eth = enp0s25
7 define my_eth_mac = YY:YY:YY:YY:YY:YY
8 define wifi = wlp3s0
9 define my_wifi_mac = WW:WW:WW:WW:WW:WW
10 define my_phone = TT:TT:TT:TT:TT:TT
11 define virtual_machines = 192.168.120.0/24
12 define privileged_vm = { 192.168.120.22, 192.168.120.129 }
13 define dhcp_client = 192.168.120.224/27
14 define transmission_port = 51413
15 define no_track = { microsoft-ds, ms-wbt-server }
16 define vm_ssh = 192.168.120.70
17 define infowatch_pc = { 10.a.0.0/16, 10.h.0.0/16 }
18 define infowatch_my = 10.a.b.c
19 define squid_normal = 3128
20 define squid_transp = 3129
21 define squid_trassl = 3130
22 define sslvpn.infowatch.com = 46.148.194.86
23 define files.infowatch.ru = 178.16.25.15
24 define iwprint.infowatch.ru = 10.d.e.f
25 define s163.getcourses.ru = 95.213.153.163
26 define tls-v1-2.badssl.com = 104.154.89.105
27 flush ruleset
28 table ip raw {
29 chain prerouting {
30 type filter hook prerouting priority -300;
# ,
31 meta l4proto { tcp, udp } th dport $transmission_port notrack
32 tcp sport $no_track ip saddr != $iwprint.infowatch.ru notrack
33 ip saddr { $sslvpn.infowatch.com, $files.infowatch.ru } tcp sport https notrack
34 }
35 }
36 table ip filter {
37 chain input {
38 type filter hook input priority 0; policy drop;
# , ┬лloopback┬╗
39 iif lo accept
# ICMP , ICMP
40 icmp type $icmp_types accept
#
41 ct state invalid counter drop
# , (SACK) TCP. ,
42 tcp flags syn tcp option maxseg size < 999 counter drop
# Bittorrent, 31
43 iif $eth meta l4proto { tcp, udp } th dport $transmission_port accept
# , , ,
44 tcp flags & (syn | ack) == syn ct state untracked log prefix "Untracked:" group 2 counter counter drop
# , 32
45 tcp sport $no_track accept
# , 33
46 ip saddr { $sslvpn.infowatch.com, $files.infowatch.ru } tcp sport https accept
# , 3128 ( )
47 iif $br ip saddr $virtual_machines mark set 3128 counter accept
# , () -
48 iif $br ip daddr $host ip saddr $virtual_machines tcp dport { domain, http, microsoft-ds, nfs, $squid_normal } accept
#
49 ct state { established, related } accept
# ,
50 iif $br udp dport { domain, bootps, tftp, 4011 } counter accept
# , , (. 38)
51 counter comment " "
52 }
53 chain output {
54 type filter hook output priority 100; policy drop;
# , ┬лloopback┬╗
55 oif lo accept
# ICMP , ICMP
56 icmp type $icmp_types counter accept
# ( 48 50)
57 oif { $eth, $wifi } udp dport . udp sport { bootps . bootpc } counter accept
58 oif $br ip saddr $host ip daddr { $dhcp_client, 255.255.255.255 } udp sport . udp dport { bootps . bootpc } counter accept
59 oif $br ip saddr $host ip daddr $virtual_machines udp sport { domain, tftp } counter accept
60 oif $br ip saddr $host ip daddr $virtual_machines tcp sport { domain, http, microsoft-ds } accept
# - . HTTPS ,
61 oif $br ip daddr $virtual_machines tcp sport { http, https, 1012 } counter accept
# , , 1024
62 meta l4proto { tcp, udp } th sport >= 1025 accept
# , , (. 54)
63 counter comment " "
64 }
65 chain forward {
66 type filter hook forward priority 0; policy drop;
# (MTU)
67 tcp flags syn tcp option maxseg size set rt mtu counter
#
68 iif $br ip daddr != $host meta l4proto { tcp, udp } th dport domain drop
# ( -) , , , . , ( 80 443) -, divert forward ( 66 81). , 96 , 80 443
69 iif $br ip saddr { $privileged_vm, $dhcp_client } accept
70 oif $br ip daddr { $privileged_vm, $dhcp_client } accept
# , , (. 66)
71 counter comment " "
72 }
# ┬л тАв ┬╗ HTTPS , 443
73 set nonstandard_https {
74 type ipv4_addr . inet_service;
75 elements = {
76 $s163.getcourses.ru . 33443, # artlinerschool.ru
77 $tls-v1-2.badssl.com . 1012, # badssl.com
78 }
79 }
80 chain divert {
81 type filter hook prerouting priority -150; policy accept;
# 3128 (. .) TCP, , ( -)
82 meta l4proto tcp socket transparent 1 mark set 3128 accept
# 3128 (. .) TCP , 80. -
83 ip daddr != { 127.0.0.1, $host } tcp dport http tproxy to 127.0.0.1:$squid_transp mark set 3128 counter accept
# 3128 (. .) TCP , 443. -
84 ip daddr != { 127.0.0.1, $host } tcp dport https tproxy to 127.0.0.1:$squid_trassl mark set 3128 counter accept
# 3128 (. .) TCP nonstandard_https (. 76 77 ). -
85 ip daddr . tcp dport @nonstandard_https tproxy to 127.0.0.1:$squid_trassl mark set 3128 counter accept
86 }
87 }
88 table ip nat {
89 chain prerouting {
90 type nat hook prerouting priority 0; policy accept;
# SSH
91 iif $eth ip daddr $infowatch_my ip saddr $infowatch_pc tcp dport ssh counter dnat $vm_ssh
92 }
93 chain postrouting {
94 type nat hook postrouting priority 100; policy accept;
# , -, . - UID GID
95 oif { $eth, $wifi } ip saddr $virtual_machines skuid . skgid { squid . squid } counter masquerade
# , , , , ( 69 70). , , HTTPS . nonstandard_https (. 76 77 ).
96 oif { $eth, $wifi } ip saddr { $privileged_vm, $dhcp_client } tcp dport != { http, https } log prefix "NAT:" group 2 counter masquerade
97 }
98 }
99 table bridge filter {
# тДЦ5: Wi-Fi
100 chain input {
type filter hook input priority -200; policy accept;
iif $wifi ether saddr != $my_phone counter drop
}
# тДЦ4: , IPv4,
chain forward {
101 type filter hook forward priority -200; policy accept;
102 oif $wifi ether type arp accept
103 oif $wifi ip protocol { icmp, tcp, udp } ip daddr != 192.168.120.255 accept
104 oif $wifi drop
105 }
# тДЦ5: Wi-Fi
106 chain output {
type filter hook input priority 200; policy accept;
oif $wifi ether daddr != $my_phone counter drop
}
}
# тДЦ2: , IPv4
107 table netdev filter {
108 chain enp0s25 {
109 type filter hook ingress device enp0s25 priority 0; policy drop;
110 ether type arp accept
111 ether daddr $my_eth_mac ip protocol { icmp, tcp, udp, gre } accept
112 }
113 chain wlp3s0 {
114 type filter hook ingress device wlp3s0 priority 0; policy drop;
# ARP EAPOL ,
115 ether type { arp, 0x888e } accept
# , ,
116 ether daddr { $my_br_mac, $my_wifi_mac, ff:ff:ff:ff:ff:ff } ip protocol { icmp, tcp, udp, gre } accept
117 }
118 }