#! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
# Copyright © 2018-2019 Hugo Levy-Falk
table inet firewall {
set dns {
type ipv4_addr
flags interval
elements = { 193.48.225.204, 193.48.225.29 }
}
set www {
type ipv4_addr
flags interval
elements = { 193.48.225.241, 193.48.225.242, 193.48.225.34, 193.48.225.25, 193.48.225.36, 193.48.225.42, 193.48.225.60, 193.48.225.61, 193.48.225.62, 193.48.225.20, 193.48.225.101}
}
set irc {
type ipv4_addr
flags interval
elements = {}
}
set znc {
type ipv4_addr
flags interval
elements = { 193.48.225.242 }
}
set smtp {
type ipv4_addr
flags interval
elements = { 193.48.225.207, 193.48.225.37 }
}
set letsencrypt {
type ipv4_addr
flags interval
elements = {193.48.225.246, 193.48.225.248, 193.48.225.249, 193.48.225.20}
}
set federez {
type ipv4_addr
flags interval
elements = {193.48.225.201}
}
set gitlab {
type ipv4_addr
flags interval
elements = { 193.48.225.243 }
}
set video {
type ipv4_addr
flags interval
elements = { }
}
set ldap {
type ipv4_addr
flags interval
elements = { 193.48.225.246}
}
set ldap_clients {
type ipv4_addr
flags interval
elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125, 193.48.225.0/24, 193.54.193.103 }
}
set mysql {
type ipv4_addr
flags interval
elements = {}
}
set minecraft {
type ipv4_addr
flags interval
elements = {}
}
set latoilescoute {
type ipv4_addr
flags interval
elements = {}
}
set wireguard {
type ipv4_addr
flags interval
elements = { 193.48.225.209 }
}
set radius {
type ipv4_addr
flags interval
elements = { 193.48.225.20 }
}
set dns_recursif {
type ipv4_addr
flags interval
elements = { 193.48.225.30 }
}
chain to_dmz {
ip saddr 10.70.0.0/16 accept
ip daddr @smtp tcp dport { 22, 25, 80, 443, 143, 993, 587} accept
ip daddr @dns tcp dport { 22, 53 } accept
ip daddr @dns udp dport { 53 } accept
ip daddr @www tcp dport { 21, 22, 80, 443, 3000 } accept
ip daddr @federez tcp dport { 22, 53, 80, 443, 389 } accept
ip daddr @federez udp dport { 53, 636 } accept
ip daddr @znc tcp dport { 6667 } accept
ip daddr @letsencrypt tcp dport { 80, 443 } accept
ip daddr @irc tcp dport { 22, 6667, 6697, 6767, 7000, 9090 } accept
ip daddr @video tcp dport { 37700, 6754 } accept
ip daddr @video udp dport { 37800 } accept
ip daddr @video tcp dport { 5678 } accept
ip daddr @wireguard udp dport { 51820 } accept
ip saddr $monitoring udp dport { 161 } accept
ip daddr @minecraft tcp dport { 22, 25565 } accept
ip daddr @minecraft udp dport { 22, 25565 } accept
ip daddr @latoilescoute udp dport { 22, 161, 16384-32768 } accept
ip daddr @latoilescoute tcp dport { 22 } accept
ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept
ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept
ip daddr @radius udp dport { 1812, 1814 } accept
ip daddr @dns_recursif udp dport { 53, 853, 443 } accept
ip daddr @dns_recursif tcp dport { 53, 853, 443 } accept
drop
}
chain from_dmz {
ip daddr 10.0.0.0/8 accept
ip daddr @mysql ip saddr != @www tcp dport 3306 drop
ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop
}
}