firewalls – NFTABLE ON OPENWRT – COULD THIS BE STRONGER?

admin

BACKGROUND:
— openwrt router; strict custom traffic rules;
— lap to ether cable to router: no other devices;
— GOAL: harden system so that if a RAT were to get on my lap somehow, it would be ineffective at calling its C2 server.
— unbound = full rec resolver
—limiting ip’s in traffic rules to the few ip’s i will use.

flush ruleset

define LOOP = "lo"
define UNBOUND_PORT = 53
define DNS_ADDR = 127.0.0.1

table inet fw {
  chain input {
    type filter hook input priority 0;
    policy drop;

    # Allow established/related
    ct state { established, related } accept

    # Allow loopback
    iif $LOOP accept

    # Drop anything to loopback not from loopback
    iif != $LOOP ip daddr 127.0.0.1 drop
    iif != $LOOP ip6 daddr ::1 drop

    # ICMP (optional, useful for diagnostics)
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept
  }

  chain forward {
    type filter hook forward priority 0;
    policy drop;
  }

  chain output {
    type filter hook output priority 0;
    policy drop;

    # Allow established/related
    ct state { established, related } accept

    # Allow loopback
    oif $LOOP accept

    # Allow DNS to local unbound resolver
    ip daddr $DNS_ADDR udp dport $UNBOUND_PORT accept
    ip daddr $DNS_ADDR tcp dport $UNBOUND_PORT accept

    # Optional: allow web access (or better, proxy only)
    # ip daddr  tcp dport { 80, 443 } accept
  }
}

Read more here: Source link

firewalls – NFTABLE ON OPENWRT – COULD THIS BE STRONGER?

admin

BACKGROUND:
— openwrt router; strict custom traffic rules;
— lap to ether cable to router: no other devices;
— GOAL: harden system so that if a RAT were to get on my lap somehow, it would be ineffective at calling its C2 server.
— unbound = full rec resolver
—limiting ip’s in traffic rules to the few ip’s i will use.

flush ruleset

define LOOP = "lo"
define UNBOUND_PORT = 53
define DNS_ADDR = 127.0.0.1

table inet fw {
  chain input {
    type filter hook input priority 0;
    policy drop;

    # Allow established/related
    ct state { established, related } accept

    # Allow loopback
    iif $LOOP accept

    # Drop anything to loopback not from loopback
    iif != $LOOP ip daddr 127.0.0.1 drop
    iif != $LOOP ip6 daddr ::1 drop

    # ICMP (optional, useful for diagnostics)
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept
  }

  chain forward {
    type filter hook forward priority 0;
    policy drop;
  }

  chain output {
    type filter hook output priority 0;
    policy drop;

    # Allow established/related
    ct state { established, related } accept

    # Allow loopback
    oif $LOOP accept

    # Allow DNS to local unbound resolver
    ip daddr $DNS_ADDR udp dport $UNBOUND_PORT accept
    ip daddr $DNS_ADDR tcp dport $UNBOUND_PORT accept

    # Optional: allow web access (or better, proxy only)
    # ip daddr  tcp dport { 80, 443 } accept
  }
}

Read more here: Source link