roles/common: Add initial support for nftables on Debian 11

I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support.
2021-07-26 13:09:41 +03:00
parent 38c333045b
commit 9bba0d96bb
9 changed files with 364 additions and 14 deletions
--- a/roles/common/templates/nftables.conf.j2
+++ b/roles/common/templates/nftables.conf.j2
@ -0,0 +1,65 @@
+#!/usr/sbin/nft -f
+#
+# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
+#
+
+flush ruleset
+
+# Lists updated daily by update-spamhaus-nftables.sh
+include "/etc/nftables/spamhaus-ipv4.nft"
+include "/etc/nftables/spamhaus-ipv6.nft"
+
+# Notes:
+#   - tables hold chains, chains hold rules
+#   - inet is for both ipv4 and ipv6
+table inet filter {
+	set spamhaus-ipv4 {
+		type ipv4_addr
+        # if the set contains prefixes we need to use the interval flag
+        flags interval
+		elements = $SPAMHAUS_IPV4
+	}
+
+	set spamhaus-ipv6 {
+		type ipv6_addr
+        flags interval
+		elements = $SPAMHAUS_IPV6
+	}
+
+	chain input {
+        type filter hook input priority 0;
+
+        # Allow traffic from established and related packets.
+        ct state {established, related} accept
+
+        # Drop invalid packets.
+        ct state invalid counter drop
+
+        # Drop packets matching the spamhaus sets early.
+        ip saddr @spamhaus-ipv4 counter drop
+        ip6 saddr @spamhaus-ipv6 counter drop
+
+        # Allow loopback traffic.
+        iifname lo accept
+
+        # Allow all ICMP and IGMP traffic, but enforce a rate limit
+        # to help prevent some types of flood attacks.
+        ip protocol icmp limit rate 4/second accept
+        ip6 nexthdr ipv6-icmp limit rate 4/second accept
+        ip protocol igmp limit rate 4/second accept
+
+        ip saddr 172.20.0.1 ct state new tcp dport 22 counter accept
+
+        # everything else
+        reject with icmpx type port-unreachable
+	}
+	chain forward {
+		type filter hook forward priority 0;
+	}
+	chain output {
+		type filter hook output priority 0;
+        # Drop outgoing packets matching the spamhaus sets too
+        ip daddr @spamhaus-ipv4 counter drop
+        ip6 daddr @spamhaus-ipv6 counter drop
+	}
+}