diff --git a/files/nftables/main.nft b/files/nftables/main.nft new file mode 100644 index 0000000..ceceed7 --- /dev/null +++ b/files/nftables/main.nft @@ -0,0 +1,106 @@ +# # Sample configuration for nftables service. +# # Load this by calling 'nft -f /etc/nftables/main.nft'. +# +# # Note about base chain priorities: +# # The priority values used in these sample configs are +# # offset by 20 in order to avoid ambiguity when firewalld +# # is also running which uses an offset of 10. This means +# # that packets will traverse firewalld first and if not +# # dropped/rejected there will hit the chains defined here. +# # Chains created by iptables, ebtables and arptables tools +# # do not use an offset, so those chains are traversed first +# # in any case. +# +# # drop any existing nftables ruleset +# flush ruleset +# +# # a common table for both IPv4 and IPv6 +# table inet nftables_svc { +# +# # protocols to allow +# set allowed_protocols { +# type inet_proto +# elements = { icmp, icmpv6 } +# } +# +# # interfaces to accept any traffic on +# set allowed_interfaces { +# type ifname +# elements = { "lo" } +# } +# +# # services to allow +# set allowed_tcp_dports { +# type inet_service +# elements = { ssh, 9090 } +# } +# +# # this chain gathers all accept conditions +# chain allow { +# ct state established,related accept +# +# meta l4proto @allowed_protocols accept +# iifname @allowed_interfaces accept +# tcp dport @allowed_tcp_dports accept +# } +# +# # base-chain for traffic to this host +# chain INPUT { +# type filter hook input priority filter + 20 +# policy accept +# +# jump allow +# reject with icmpx type port-unreachable +# } +# } +# +# # By default, any forwarding traffic is allowed. +# # Uncomment the following line to filter it based +# # on the same criteria as input traffic. +# #include "/etc/nftables/router.nft" +# +# # Uncomment the following line to enable masquerading of +# # forwarded traffic. May be used with or without router.nft. +# #include "/etc/nftables/nat.nft" + +# --- --- --- + +# Flush the ruleset +flush ruleset + +# Define a table for our firewall rules +table ip firewall { + # Define a chain for outbound traffic + chain output { + type filter hook output priority 0; + + # Set default policy to DROP + policy drop; + + # Allow localhost traffic + ip daddr 127.0.0.1 accept + + # Allow DHCPv4 broadcast + ip daddr 255.255.255.255 accept + + # Allow traffic to local network (assuming 192.168.0.0/16, adjust if needed) + ip daddr 192.168.0.0/16 accept + } +} + +# IPv6 table +table ip6 firewall { + chain output { + type filter hook output priority 0; + policy drop; + + # Allow DHCPv6 multicast + ip6 daddr ff02::1:2 accept + + # Allow localhost traffic + ip6 daddr ::1 accept + + # Allow traffic to local network (assuming fd00::/8 for unique local addresses, adjust if needed) + ip6 daddr fd00::/8 accept + } +} diff --git a/recipes/recipe.yml b/recipes/recipe.yml index 24cdb36..ec4017f 100644 --- a/recipes/recipe.yml +++ b/recipes/recipe.yml @@ -5,6 +5,10 @@ description: This is my personal OS image. base-image: ghcr.io/ublue-os/bluefin-dx-nvidia image-version: latest modules: + - type: files + files: + - source: nftables + destination: /usr/etc/ - type: default-flatpaks notify: true system: @@ -20,8 +24,10 @@ modules: - https://repository.mullvad.net/rpm/stable/mullvad.repo optfix: - Mullvad VPN + - windscribe install: - mullvad-vpn - mullvad-browser - "https://airvpn.org/mirrors/eddie.website/download/?platform=linux&arch=x64&ui=ui&format=fedora.rpm&version=experimental&r=0.0531527188578923" + - "https://deploy.totallyacdn.com/desktop-apps/2.12.7/windscribe_2.12.7_x86_64_fedora.rpm" - type: signing