wolfhechel · March 14, 2015 13:23
diff --git a/rules.v4 b/rules.v4
 # http://kangran.su/~nnz/pub/nf-doc/nftables/nft.html
 # http://wiki.nftables.org/wiki-nftables/index.php/Main_Page

 define external = eth0
 define internal = eth1

 define dhcp_range = 192.168.1

 # Clean out the current ruleset
 flush ruleset

 table firewall {

 	set blacklist {
 		type ipv4_addr
 	}

 	set tcp_open_ports {
 		type inet_service

 		elements = {
 			ssh
 		}
 	}

 	set udp_open_ports {
 		type inet_service
 	}

 	chain incoming {
 		type filter hook input priority 0

 		# established/related connections
    	ct state established,related accept

    	# invalid connections
    	ct state invalid drop

    	# bad tcp -> avoid network scanning:
        tcp flags & (fin|syn) == (fin|syn)						drop
        tcp flags & (syn|rst) == (syn|rst)						drop
        tcp flags & (fin|syn|rst|psh|ack|urg) < (fin)			drop
        tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)	drop

        # no ping floods:
        ip protocol icmp limit rate 10/second accept
        ip protocol icmp drop

 		# drop connections from blacklisted addresses
 		ip saddr @blacklist drop

 		# accept input from loopback and internal interfaces
 		iif { lo, $internal } accept

 		# avoid brute force on ssh:
        tcp dport ssh limit rate 15/minute accept

        # allow open tcp ports
        tcp dport @tcp_open_ports accept

        # allow open udp ports
        udp dport @udp_open_ports accept

 		reject
 	}

 	chain forwarding {
 		type filter hook forward priority 0

 		iif $external oif $internal ct state established,related accept
 		iif $internal oif $external accept
 	}

 	chain outgoing {
 		type filter hook output priority 0
 	}
 }

 table nat {
 	map tcp_forwarding {
 		type inet_service : ipv4_addr
 	}

 	map udp_forwarding {
 		type inet_service : ipv4_addr
 	}

 	chain prerouting {
 		type nat hook prerouting priority 0
 	}

 	chain postrouting {
 		type nat hook postrouting priority 0

 		oif $external masquerade
 	}
 }
diff --git a/Vagrantfile b/Vagrantfile
 # -*- mode: ruby -*-
 # vi: set ft=ruby :

 # Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
 VAGRANTFILE_API_VERSION = '2'

 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  # All Vagrant configuration is done here. The most common configuration
  # options are documented and commented below. For a complete reference,
  # please see the online documentation at vagrantup.com.

  # Every Vagrant virtual environment requires a box to build off of.
  config.vm.box = 'archlinux64'

  config.vm.define 'client' do |client|
    client.vm.network :private_network, ip: '192.168.33.100', auto_config: false
  end

  config.vm.define "router", primary: true do |router|
    router.vm.network :private_network, ip: '192.168.33.1', auto_config: false
  end
 end
	# http://kangran.su/~nnz/pub/nf-doc/nftables/nft.html
	# http://wiki.nftables.org/wiki-nftables/index.php/Main_Page

	define external = eth0
	define internal = eth1

	define dhcp_range = 192.168.1

	# Clean out the current ruleset
	flush ruleset

	table firewall {

	set blacklist {
	type ipv4_addr
	}

	set tcp_open_ports {
	type inet_service

	elements = {
	ssh
	}
	}

	set udp_open_ports {
	type inet_service
	}

	chain incoming {
	type filter hook input priority 0

	# established/related connections
	ct state established,related accept

	# invalid connections
	ct state invalid drop

	# bad tcp -> avoid network scanning:
	tcp flags & (fin\|syn) == (fin\|syn) drop
	tcp flags & (syn\|rst) == (syn\|rst) drop
	tcp flags & (fin\|syn\|rst\|psh\|ack\|urg) < (fin) drop
	tcp flags & (fin\|syn\|rst\|psh\|ack\|urg) == (fin\|psh\|urg) drop

	# no ping floods:
	ip protocol icmp limit rate 10/second accept
	ip protocol icmp drop

	# drop connections from blacklisted addresses
	ip saddr @blacklist drop

	# accept input from loopback and internal interfaces
	iif { lo, $internal } accept

	# avoid brute force on ssh:
	tcp dport ssh limit rate 15/minute accept

	# allow open tcp ports
	tcp dport @tcp_open_ports accept

	# allow open udp ports
	udp dport @udp_open_ports accept

	reject
	}

	chain forwarding {
	type filter hook forward priority 0

	iif $external oif $internal ct state established,related accept
	iif $internal oif $external accept
	}

	chain outgoing {
	type filter hook output priority 0
	}
	}

	table nat {
	map tcp_forwarding {
	type inet_service : ipv4_addr
	}

	map udp_forwarding {
	type inet_service : ipv4_addr
	}

	chain prerouting {
	type nat hook prerouting priority 0
	}

	chain postrouting {
	type nat hook postrouting priority 0

	oif $external masquerade
	}
	}
	# -- mode: ruby --
	# vi: set ft=ruby :

	# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
	VAGRANTFILE_API_VERSION = '2'

	Vagrant.configure(VAGRANTFILE_API_VERSION) do \|config\|
	# All Vagrant configuration is done here. The most common configuration
	# options are documented and commented below. For a complete reference,
	# please see the online documentation at vagrantup.com.

	# Every Vagrant virtual environment requires a box to build off of.
	config.vm.box = 'archlinux64'

	config.vm.define 'client' do \|client\|
	client.vm.network :private_network, ip: '192.168.33.100', auto_config: false
	end

	config.vm.define "router", primary: true do \|router\|
	router.vm.network :private_network, ip: '192.168.33.1', auto_config: false
	end
	end