#!/usr/sbin/nft -f
flush ruleset
define WAN_NIC = eth0
define LAN_NIC = br0
define WAN_SUBNET = 0.0.0.0/0
define LAN_SUBNET = {:ContainerSubnetCIDR:}
define PEER_SUBNETS = {{:PeerSubnetsCIDR:}}
define PUBLIC_IP = {:ServerPublicIP:}
define WAN_IP = {:ServerPrivateIP:}
define PABX_CONT = {:3CXContainerIP:}
define SITECH_OFFICE = 14.201.136.233/32
define MARKIPSECINPUT = 0x101
table inet filter {
set PABX_ALLOW_TCP {
type inet_service
elements = {
80, 443, 5001, 5015, 5060, 5061, 5090
}
}
set PABX_ALLOW_UDP {
type inet_service
elements = {
5060
}
}
set IPSEC_ALLOW_UDP {
type inet_service
elements = {
500, 4500
}
}
chain outgoing {
type filter hook output priority 100
policy accept
}
#Allow established connections, loopback traffic, pings and SSH connections from Sitech SSH
chain baseallow {
ct state established,related accept
iif lo accept
meta l4proto {icmp, icmpv6} accept
ip saddr $WAN_SUBNET tcp dport 22 accept
}
chain incoming {
type filter hook input priority 0
policy drop
jump baseallow
#Accept ESP and AH traffic (for IPSec)
ip protocol esp counter accept
ip protocol ah counter accept
#Mark ESP packets (for IPSec)
ip protocol esp mark set mark or $MARKIPSECINPUT
mark and $MARKIPSECINPUT == $MARKIPSECINPUT accept
#Allow incoming IPSec ports
udp dport @IPSEC_ALLOW_UDP accept
}
chain forwarding {
type filter hook forward priority 0
policy drop
#Allow traffic from the LAN to WAN
ip saddr $LAN_SUBNET ip daddr $WAN_SUBNET accept
ip saddr $WAN_SUBNET ip daddr $LAN_SUBNET ct state related,established accept
#Allow fowarded traffic from WAN to 3CX container
ip daddr $PABX_CONT tcp dport @PABX_ALLOW_TCP accept
ip daddr $PABX_CONT udp dport @PABX_ALLOW_UDP accept
ip daddr $PABX_CONT udp dport 9000-10999 accept
#Allow traffic between LAN and IPSec VPN
ip saddr $LAN_SUBNET ip daddr $PEER_SUBNETS accept
ip saddr $PEER_SUBNETS ip daddr $LAN_SUBNET accept
}
}
table nat {
set PABX_NAT_TCP {
type inet_service
elements = {
80, 443, 5001, 5015, 5060, 5061, 5090
}
}
set PABX_NAT_UDP {
type inet_service
elements = {
5060, 5090
}
}
chain prerouting {
type nat hook prerouting priority 0
#NAT our PABX packets
ip daddr $WAN_IP tcp dport @PABX_NAT_TCP dnat $PABX_CONT
ip daddr $WAN_IP udp dport @PABX_NAT_UDP dnat $PABX_CONT
ip daddr $WAN_IP udp dport 9000-10999 dnat $PABX_CONT
}
chain postrouting {
type nat hook postrouting priority 0
#Stop any IPSec traffic from being NAT'd on it's way out
oif $WAN_NIC ip saddr $LAN_SUBNET ip daddr $PEER_SUBNETS accept
#Any traffic being routed out WAN gets NAT'd to masquerade as it
oif $WAN_NIC masquerade
}
}