Support for basic firewall, NAT, IP masquerading, port forwarding #448
Description
Description
Quite a few people have asked about support for a basic firewall, with NAT, IP masquerading, and port forwarding. This is a critical (planned) feature most network operating systems have, but is currently not actively worked on. With current timelines, it will possibly be picked up mid 2025 at the earliest.
Available right now, however, is a curiOS nftables container that can be used for advanced setups:
This container based approach leverages host networking, same network namespace as the host, and will always be possible to fall back on in advanced setups. But for the more common use-cases we'd like to see something simpler.
YANG Model
For a minimal/user-friendly Infix YANG model, we've narrowed the functionality down to the following basic building blocks:
- allow
- deny
- port forward
- masquerade
Resources
- A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT) RFC 8512
- YANG Data Model for Network Access Control Lists (ACLs) RFC 8519 (references Linux nftables!)
- https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
- https://wiki.gentoo.org/wiki/Nftables/Examples
- https://sanjuroe.dev/nftables-basics
Example /etc/nftables.conf
Router between WAN and LAN port(s):
#!/usr/sbin/nft -f
define WAN = eth0
define LAN = br0
define NET = 192.168.0.0/24
# Drop all rules to allow reloading this file after edit
flush ruleset
table ip filter {
chain wan {
# Accept ping for diagnostics, with rate limit
icmp type echo-request limit rate 5/second accept
# allow SSH connections from some well-known internet host
#ip saddr 81.209.165.42 tcp dport ssh accept
}
chain lan {
icmp type echo-request accept
# allow DHCP, DNS and SSH from the private network
ip protocol . th dport vmap {
tcp . 22 : accept,
udp . 53 : accept,
tcp . 53 : accept,
udp . 67 : accept
}
}
chain input {
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap {
established : accept,
related : accept,
invalid : drop
}
# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap {
lo : accept,
$WAN : jump wan,
$LAN : jump lan
}
# the rest is dropped by the above policy
}
chain forward {
type filter hook forward priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap {
established : accept,
related : accept,
invalid : drop
}
# connections from LAN to the internet or to other intranets are allowed
iifname $LAN accept
# the rest is dropped by the above policy
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr $NET oif $WAN masquerade
}
}General Information
You can help out by sponsoring the development, or contributing a pull request for a more streamlined/user-friendly and integrated firewall. Use this issue for discussions around the topic.