On a Debian 12 VPS with openvpn installed, I am having difficulty
finding an nftable ruleset that works. The following is the current
ruleset, excluding the set definitions. I can connect to the VPN, but
then cannot access any services.
I'm aware there are overlapping rules, but that is because I'm
attempting to use a standard ruleset across all servers, with additions
according to the services needed. Any thoughts?
table inet firewall {
chain input {
type filter hook input priority filter; policy accept;
ct state { established, related } accept
iifname "lo" accept
icmpv6 type { destination-unreachable, packet-too-big,
time-exceeded, parameter-problem, echo-request, mld-listener-query,
nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
nd-neighbor-advert } accept
ip protocol icmp icmp type echo-request ip saddr @servers_ipv4
accept
ip protocol icmp icmp type echo-request ip saddr 127.0.0.1 accept
ip saddr @spamhaus_blacklist drop
ip saddr @blacklist_v4 drop
tcp dport 443 accept
iifname "tun0" accept
tcp dport 22 ip saddr @always_ipv4 accept
tcp dport 22 ip saddr @privileged_ipv4 accept
tcp dport 22 ip saddr @tunnelin_ipv4 accept
tcp dport 22 ip saddr @security_v4 accept
tcp dport 22 ip saddr 193.107.20.105 accept
tcp dport 22 ip6 saddr @always_ipv6 accept
tcp dport 22 ip6 saddr @privileged_ipv6 accept
tcp dport 22 ip6 saddr @tunnelin_ipv6 accept
tcp dport 22 ip6 saddr @security_v6 accept
tcp dport 22 log prefix "Denied SSH: " drop
udp dport 60000-61000 ip saddr @always_ipv4 accept
udp dport 60000-61000 ip saddr @privileged_ipv4 accept
udp dport 60000-61000 ip6 saddr @always_ipv6 accept
udp dport 60000-61000 ip6 saddr @privileged_ipv6 accept
udp dport 60000-61000 log prefix "Denied MOSH: " drop
ip saddr @munin_host_v4 tcp dport 4949 accept
ip6 saddr @munin_host_v6 tcp dport 4949 accept
tcp dport 3306 ip saddr 127.0.0.1 accept
log prefix "nftables input dropped: " flags all counter packets
86 bytes 9203 drop
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state { established, related } accept
iifname "tun0" oifname "eth0" accept
iifname "eth0" oifname "tun0" ct state new accept
log prefix "nftables forward dropped: " flags all counter
packets 0 bytes 0 drop
}
chain output {
type filter hook output priority filter; policy drop;
ct state { established, related } accept
ip protocol icmp icmp type echo-request ip daddr @servers_ipv4
accept
ip protocol icmp icmp type echo-request ip daddr 127.0.0.1 accept
icmpv6 type { destination-unreachable, packet-too-big,
time-exceeded, parameter-problem, echo-request, mld-listener-query,
nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
nd-neighbor-advert } accept
ip protocol { tcp, udp } th dport 53 accept
tcp dport 123 accept
tcp dport { 80, 443 } accept
ip daddr @postmark_v4 tcp dport 587 accept
ip daddr @postmarklists_v4 tcp dport 587 accept
ip daddr @smtp2go_v4 tcp dport 587 accept
ip6 daddr @postmark_v6 tcp dport 587 accept
ip6 daddr @postmarklists_v6 tcp dport 587 accept
ip6 daddr @smtp2go_v6 tcp dport 587 accept
ip daddr @vault_v4 tcp dport 22 accept
ip6 daddr @vault_v6 tcp dport 22 accept
ip daddr 127.0.0.1 tcp dport 3306 accept
ip protocol tcp accept
ip6 nexthdr tcp accept
ip protocol udp accept
ip6 nexthdr udp accept
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
}
}
