sitaramp
1/6/2018 - 3:40 AM

Nftables for strongSwan vpn road warrior config

Nftables for strongSwan vpn road warrior config

nftables.conf
content_copyfile_download
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain base_checks {
                # allow established connections
                ct state {established, related} accept

                # early drop of invalid connections
                ct state invalid drop
        }
        chain input {
                type filter hook input priority 0; policy drop

                jump base_checks

                # allow from loopback
                iifname lo accept

                # accept traffic originated from us
                ct state related,established counter accept

                # activate the following line to accept common local services
                tcp dport { 22, 80, 443 } ct state new accept
                # strongswan vpn
                udp dport { 500,4500} counter accept

                #allow icmp
                ip protocol icmp icmp type {echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept
                # accept neighbour discovery otherwise IPv6 connectivity breaks.
                #ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

                # allow encapsulated trafic
                iifname eth0 ip protocol {ah, esp} accept
                # count and drop any other traffic
                reject with icmpx type port-unreachable
        }

        
        chain forward {
                type filter hook forward priority 0; policy drop
                jump base_checks

                ## allow comming out of the vpn
                ip saddr 172.16.252.0/24 accept
        }
        chain output {
                type filter hook output priority 0; policy accept;
                oifname eth0 ip protocol {ah, esp} accept
        }
}

table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
                #tcp dport dnat
                #udp dport dnat
        }
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                #oifname eth0 ip daddr 10.10.10.0/24 accept
                ip saddr 172.16.252.0/24 oif eth0 masquerade
                #masquerade
        }
}

table ip admin-filter {
    include "/etc/white.nft"
	set admin_ip {
		type ipv4_addr;  flags interval;
		#elements = $admin_ip_list 
		elements = {
			p.q.r.0/22, 
			x.y.z.0/20, 
			a.b.0.0/19, 
			m.n.o.0/21
		}
	}
	chain input {
	    type filter hook input priority 200; policy accept
	    ct state related,established counter accept
	    tcp dport { 22 } ip saddr @admin_ip ct state new accept
	    tcp dport { 22 } reject
	}
}

include "/etc/nftables/fail2ban.conf"