65 lines
2.6 KiB
Markdown
65 lines
2.6 KiB
Markdown
## homemade_firewall
|
|
My own hand-made firewall learning project with nftables.
|
|
|
|
### License
|
|
This program is licensed under the Affero GNU Public License v3, you can read the copy that comes along with this program or read it at [gnu.org](https://gnu.org)'s website
|
|
|
|
### Dependencies
|
|
The following is needed to setup this firewall:
|
|
* nftables
|
|
* make
|
|
* support for nftables, forwarding and conntrack in kernel
|
|
|
|
And the following to run the optional makeconf.sh script:
|
|
* bash version 4+
|
|
|
|
Because it makes use of bash arrays and integer variables introduced from that version onwards.
|
|
|
|
### Usage
|
|
To use this firewall, you must first change the `.nft` files to suit your setup.
|
|
|
|
Once you're satisfied, run: `make makeconf` to generate your nftables.conf.
|
|
|
|
Run the following command before installing `make test` so nftables can check for errors.
|
|
|
|
If there are no errors, you can install and run with `make install`
|
|
|
|
You can verify that your new rules are in place with `nft list ruleset`
|
|
|
|
To uninstall, run `make uninstall`, which will replace the contents of `/etc/nftables.conf` with the backup made at install-time and saved in `backup.conf`.
|
|
|
|
### Modifying .nft files
|
|
The following are guidelines for editing the `.nft` files to your liking
|
|
|
|
#### defines.nft
|
|
In `defines.nft` you can place your defines.
|
|
|
|
Every service under the *TCP and UDP services* comment should be placed in tcp and udp named sets.
|
|
|
|
Every service under the *TCP only services* comment should be placed in the tcp named set.
|
|
|
|
Services under the *UDP only services* comment should be placed in the udp named sets.
|
|
|
|
#### nat.nft
|
|
In `nat.nft` you can place your nat table, chains and rules.
|
|
|
|
You don't need to include `defines.nft` since it is included in `filter.nft`
|
|
|
|
#### filter.nft
|
|
In `filter.nft` you can place your filter table, chains and rules.
|
|
|
|
This is the main file where you'll do most of your work.
|
|
|
|
Make sure you erase the `ipv4_geo_blacklist` named set and rules related to it if you're not going to block country-wide IP ranges.
|
|
|
|
### makeconf script
|
|
This script unifies the `.nft` files into a single `nftables.conf` file ready to be placed into `/etc/nftables.conf`.
|
|
|
|
It replaces includes of local `.nft` files with their contents into `filter.nft` and saves it as `nftables.conf`.
|
|
|
|
It also checks which countries you want to block by checking what files exist under `/var/geoipsets/dbip/nftset/ipv4/*.ipv4` and places them into the `ipv4_geo_blacklist` named set.
|
|
|
|
### Bug-reporting
|
|
|
|
Try to register an account, wait to be approved and submit an issue. If I take too long to approve your account or I reject your application, you can send me an email at celsochan@disroot.org
|