Guest network (Wi-Fi 1 & Wi-Fi 2) isolation/security issue

ftmx · June 18, 2019, 2:24am

Do you mind sharing an example config?

anon50890781 · June 18, 2019, 7:25am

sure, mind that splitting the config into separate files is just my workflow preference, essential all can go into /etc/nftables.config instead. That file needs to be created manually as it is not done automatically when installing kmod-nft-core and nftables.

Mind you this example has not been tested on TO and just lifted off one my other L nodes as basic template.

/etc/nftables.config

#!/usr/sbin/nft -f

flush ruleset

include "/etc/fw/rules"
include "/etc/fw/defines"
# include "/etc/fw/sets"
include "/etc/fw/global"
include "/etc/fw/lan"
include "/etc/fw/wan"
include "/etc/fw/meter"

/etc/fw/rules

# NETDEV
table netdev filter {
	chain nic {
		type filter hook ingress device ens3 priority 0;
	}
}

# NAT
table nat {
	chain prerouting {
		type nat hook prerouting priority 0;
	}
	chain postrouting {
		type nat hook postrouting priority 100;
	}
}

# BRIDGE
table bridge filter {
	chain input {
		type filter hook input priority -200;
	}
	chain forward {
		type filter hook forward priority -200;
	}
	chain output {
		type filter hook output priority -200;
	}
}

# ROUTE

# ARP
table arp filter {
  chain input {
  	type filter hook input priority 0;
  }
  chain output {
		type filter hook output priority 0;
  }
}

# RAW
table raw {
	chain prerouting {
		type filter hook prerouting priority -300;
	}
	chain postrouting {
		type filter hook postrouting priority 100;
	}
}

table inet filter {
	chain input {
		type filter hook input priority 0;
	}
	chain forward {
		type filter hook forward priority 0;
	}
	chain output {
		type filter hook output priority 0;
	}
}

/etc/fw/defines

# VARIABLES

# interfaces
define nic = ens3

# network ranks
define opvn = 172.25.120.1/24

/etc/fw/meter

table netdev filter {
  chain nic {

    # global
    meter global-meter { ip saddr limit rate 50/second burst 25 packets } continue

    # ssh wan
    # tcp dport 51030 meter ssh-meter { ip saddr limit rate 10/minute burst 3 packets } accept

    # vpn
    udp dport 61023 meter ovpn-meter { ip saddr limit rate 10/minute burst 7 packets } accept
  }
}

table inet filter {
  chain input {
  }
  chain forward {
	}
  chain output {
	}
}

/etc/fw/wan

table nat {
	chain prerouting {

		# vpn
		ip daddr xxx.xxx.xxx.xxx udp dport xxxxx dnat to 172.25.120.2

		# ssh wan
		# ip daddr xxx.xxx.xxx.xxx tcp dport xxxxx dnat to 172.23.120.98:56009
	}

	chain postrouting {
		meta oifname $nic masquerade
	}
}

table inet filter {
	chain input {
	}
	chain forward {
	}
	chain output {
	}
}

/etc/fw/lan

table bridge filter {
	chain input {
	}
	chain forward {
	}
	chain output {
	}
}

table inet filter {

  chain input {

		# lo
		meta iifname lo accept

		# bridge zones
		meta iifname br* accept
	}
  chain forward {

		# bridge
		meta oifname br* accept
		meta iifname br* accept
	}
}

anon50890781 · June 19, 2019, 2:45pm

That is not true and needs to be corrected as apparently it is split into 7 kernel modules.