#! /sbin/nft -f # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # Copyright © 2018-2019 Hugo Levy-Falk table inet firewall { set dns { type ipv4_addr flags interval elements = { 193.48.225.204, 193.48.225.29 } } set www { type ipv4_addr flags interval elements = { 193.48.225.241, 193.48.225.242, 193.48.225.34, 193.48.225.25, 193.48.225.36, 193.48.225.42, 193.48.225.60, 193.48.225.61, 193.48.225.62, 193.48.225.20, 193.48.225.101} } set irc { type ipv4_addr flags interval elements = {} } set znc { type ipv4_addr flags interval elements = { 193.48.225.242 } } set smtp { type ipv4_addr flags interval elements = { 193.48.225.207, 193.48.225.37 } } set letsencrypt { type ipv4_addr flags interval elements = {193.48.225.246, 193.48.225.248, 193.48.225.249, 193.48.225.20} } set federez { type ipv4_addr flags interval elements = {193.48.225.201} } set gitlab { type ipv4_addr flags interval elements = { 193.48.225.243 } } set video { type ipv4_addr flags interval elements = { } } set ldap { type ipv4_addr flags interval elements = { 193.48.225.246} } set ldap_clients { type ipv4_addr flags interval elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125, 193.48.225.0/24, 193.54.193.103 } } set mysql { type ipv4_addr flags interval elements = {} } set minecraft { type ipv4_addr flags interval elements = {} } set latoilescoute { type ipv4_addr flags interval elements = {} } set wireguard { type ipv4_addr flags interval elements = { 193.48.225.209 } } set radius { type ipv4_addr flags interval elements = { 193.48.225.20 } } set dns_recursif { type ipv4_addr flags interval elements = { 193.48.225.30 } } chain to_dmz { ip saddr 10.70.0.0/16 accept ip daddr @smtp tcp dport { 22, 25, 80, 443, 143, 993, 587} accept ip daddr @dns tcp dport { 22, 53 } accept ip daddr @dns udp dport { 53 } accept ip daddr @www tcp dport { 21, 22, 80, 443, 3000 } accept ip daddr @federez tcp dport { 22, 53, 80, 443, 389 } accept ip daddr @federez udp dport { 53, 636 } accept ip daddr @znc tcp dport { 6667 } accept ip daddr @letsencrypt tcp dport { 80, 443 } accept ip daddr @irc tcp dport { 22, 6667, 6697, 6767, 7000, 9090 } accept ip daddr @video tcp dport { 37700, 6754 } accept ip daddr @video udp dport { 37800 } accept ip daddr @video tcp dport { 5678 } accept ip daddr @wireguard udp dport { 51820 } accept ip saddr $monitoring udp dport { 161 } accept ip daddr @minecraft tcp dport { 22, 25565 } accept ip daddr @minecraft udp dport { 22, 25565 } accept ip daddr @latoilescoute udp dport { 22, 161, 16384-32768 } accept ip daddr @latoilescoute tcp dport { 22 } accept ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept ip daddr @radius udp dport { 1812, 1814 } accept ip daddr @dns_recursif udp dport { 53, 853, 443 } accept ip daddr @dns_recursif tcp dport { 53, 853, 443 } accept drop } chain from_dmz { ip daddr 10.0.0.0/8 accept ip daddr @mysql ip saddr != @www tcp dport 3306 drop ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop } }