celso
/
homemade_firewall
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
homemade_firewall/README.md

2.6 KiB
Raw Blame History

homemade_firewall

My own hand-made firewall learning project with nftables.

License

This program is licensed under the Affero GNU Public License v3, you can read the copy that comes along with this program or read it at gnu.org's website

Dependencies

The following is needed to setup this firewall:

  • nftables
  • make
  • support for nftables, forwarding and conntrack in kernel

And the following to run the optional makeconf.sh script:

  • bash version 4+

Because it makes use of bash arrays and integer variables introduced from that version onwards.

Usage

To use this firewall, you must first change the .nft files to suit your setup.

Once you're satisfied, run: make makeconf to generate your nftables.conf.

Run the following command before installing make test so nftables can check for errors.

If there are no errors, you can install and run with make install

You can verify that your new rules are in place with nft list ruleset

To uninstall, run make uninstall, which will replace the contents of /etc/nftables.conf with the backup made at install-time and saved in backup.conf.

Modifying .nft files

The following are guidelines for editing the .nft files to your liking

defines.nft

In defines.nft you can place your defines.

Every service under the TCP and UDP services comment should be placed in tcp and udp named sets.

Every service under the TCP only services comment should be placed in the tcp named set.

Services under the UDP only services comment should be placed in the udp named sets.

nat.nft

In nat.nft you can place your nat table, chains and rules.

You don't need to include defines.nft since it is included in filter.nft

filter.nft

In filter.nft you can place your filter table, chains and rules.

This is the main file where you'll do most of your work.

Make sure you erase the ipv4_geo_blacklist named set and rules related to it if you're not going to block country-wide IP ranges.

makeconf script

This script unifies the .nft files into a single nftables.conf file ready to be placed into /etc/nftables.conf.

It replaces includes of local .nft files with their contents into filter.nft and saves it as nftables.conf.

It also checks which countries you want to block by checking what files exist under /var/geoipsets/dbip/nftset/ipv4/*.ipv4 and places them into the ipv4_geo_blacklist named set.

Bug-reporting

Try to register an account, wait to be approved and submit an issue. If I take too long to approve your account or I reject your application, you can send me an email at celsochan@disroot.org