From 164b1538f0639a7fb2f474aa3b93be9e66918fe3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Molinero=20Fern=C3=A1ndez?=
 <hector@molinero.dev>
Date: Sun, 14 Jun 2020 19:49:14 +0200
Subject: [PATCH] Switched to nftables, modified the default SSH port and
 removed fail2ban

---
 packer/build.pkr.hcl                          | 18 ++---
 packer/qemu/start-vm.sh                       |  6 +-
 packer/rootfs/etc/fail2ban/jail.d/sshd.conf   |  9 ---
 packer/rootfs/etc/nftables.conf               | 74 +++++++++++++++++++
 packer/rootfs/etc/ssh/sshd_config             |  2 +-
 packer/rootfs/etc/sysctl.d/60-forwarding.conf |  3 +
 packer/rootfs/etc/wireguard/wg0.conf          | 28 +------
 7 files changed, 88 insertions(+), 52 deletions(-)
 delete mode 100644 packer/rootfs/etc/fail2ban/jail.d/sshd.conf
 create mode 100644 packer/rootfs/etc/nftables.conf
 create mode 100644 packer/rootfs/etc/sysctl.d/60-forwarding.conf

diff --git a/packer/build.pkr.hcl b/packer/build.pkr.hcl
index 0d39583..b1e0c61 100644
--- a/packer/build.pkr.hcl
+++ b/packer/build.pkr.hcl
@@ -44,15 +44,14 @@ build {
           snapd
         apt-get install -y \
           dns-root-data \
-          fail2ban \
           htop \
           iperf3 \
           nano \
+          nftables \
           openresolv \
           qrencode \
           rng-tools \
           ssh-import-id \
-          ufw \
           unattended-upgrades \
           unbound \
           wireguard
@@ -66,21 +65,14 @@ build {
       EOF
       ,
       <<EOF
-        systemctl enable --now fail2ban.service rng-tools.service ssh.service ufw.service
+        systemctl enable --now nftables.service rng-tools.service ssh.service
         systemctl enable --now apt-daily-upgrade.timer apt-daily.timer unattended-upgrades.service
         systemctl enable wg-quick@wg0.service
       EOF
       ,
       <<EOF
-        ufw --force enable
-        ufw default deny incoming
-        ufw default allow outgoing
-        ufw allow from any to any port 22 proto tcp
-      EOF
-      ,
-      <<EOF
-        groupadd --system ssh-user
-        usermod --append --groups ssh-user root
+        groupadd -r ssh-user
+        usermod -aG ssh-user root
         passwd -d root
       EOF
       ,
@@ -88,7 +80,7 @@ build {
         rm -f /etc/ssh/ssh_host_*key*
         rm -f /etc/wireguard/*-*key /etc/wireguard/*-iface
         find /var/lib/apt/lists/ -mindepth 1 -delete
-        find / -ignore_readdir_race -type f -regex '.+\.\(dpkg\|ucf\)-\(old\|new\|dist\)' -delete
+        find / -type f -regex '.+\.\(dpkg\|ucf\)-\(old\|new\|dist\)' -ignore_readdir_race -delete ||:
       EOF
     ]
   }
diff --git a/packer/qemu/start-vm.sh b/packer/qemu/start-vm.sh
index 87a51e5..d8c5169 100755
--- a/packer/qemu/start-vm.sh
+++ b/packer/qemu/start-vm.sh
@@ -21,14 +21,14 @@ printf '%s\n' '#cloud-config' 'runcmd: ["ssh-import-id gh:hectorm"]' > "${USERDA
 cloud-localds "${USERDATA_DISK:?}" "${USERDATA_YAML:?}"
 
 # Remove keys from the known_hosts file
-ssh-keygen -R '[127.0.0.1]:2222'
-ssh-keygen -R '[localhost]:2222'
+ssh-keygen -R '[127.0.0.1]:1122'
+ssh-keygen -R '[localhost]:1122'
 
 # Launch VM
 kvm \
 	-smp 1 -m 512 \
 	-nographic -serial mon:stdio \
 	-device e1000,netdev=n0 \
-	-netdev user,id=n0,hostfwd=tcp::2222-:22,hostfwd=udp::51820-:51820 \
+	-netdev user,id=n0,hostfwd=tcp::1122-:122,hostfwd=udp::51820-:51820 \
 	-drive file="${SNAPSHOT_DISK:?}",if=virtio,format=qcow2 \
 	-drive file="${USERDATA_DISK:?}",if=virtio,format=raw
diff --git a/packer/rootfs/etc/fail2ban/jail.d/sshd.conf b/packer/rootfs/etc/fail2ban/jail.d/sshd.conf
deleted file mode 100644
index 9db1af0..0000000
--- a/packer/rootfs/etc/fail2ban/jail.d/sshd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-[sshd]
-enabled   = true
-filter    = sshd
-banaction = ufw
-backend   = systemd
-maxretry  = 5
-findtime  = 10m
-bantime   = 10m
-ignoreip  = 127.0.0.1/8 ::1
diff --git a/packer/rootfs/etc/nftables.conf b/packer/rootfs/etc/nftables.conf
new file mode 100644
index 0000000..84cd398
--- /dev/null
+++ b/packer/rootfs/etc/nftables.conf
@@ -0,0 +1,74 @@
+#!/usr/sbin/nft -f
+
+flush ruleset;
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0;
+		policy drop;
+
+		# Accept loopback.
+		iif lo accept;
+
+		# Accept traffic originated from us.
+		ct state { established, related } accept;
+
+		# Accept neighbour discovery otherwise IPv6 connectivity breaks.
+		ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept;
+
+		# Accept all ICMP types.
+		ip protocol icmp accept;
+		ip6 nexthdr icmpv6 accept;
+
+		# Accept SSH traffic.
+		tcp dport 122 accept;
+
+		# Accept WireGuard traffic.
+		udp dport 51820 accept;
+
+		# Accept DNS traffic on the WireGuard interface.
+		iifname wg0 meta l4proto { tcp, udp } @th,16,16 53 accept;
+
+		# Count dropped packets.
+		counter drop;
+	}
+
+	chain forward {
+		type filter hook forward priority 0;
+		policy drop;
+
+		# Accept packet forwarding on the WireGuard interface.
+		iifname wg0 accept;
+		oifname wg0 ct state { established, related } accept;
+
+		# Count dropped packets.
+		counter drop;
+	}
+
+	chain output {
+		type filter hook output priority 0;
+		policy accept;
+	}
+}
+
+table inet nat {
+	chain prerouting {
+		type nat hook prerouting priority -100;
+		policy accept;
+
+		# Early drop of invalid packets.
+		ct state invalid counter drop;
+
+		# Accept WireGuard traffic via port 53/UDP (to circumvent some firewalls).
+		iifname != wg0 udp dport 53 redirect to 51820;
+	}
+
+	chain postrouting {
+		type nat hook postrouting priority 100;
+		policy accept;
+
+		# Masquerade WireGuard traffic.
+		oif != lo ip saddr 10.10.10.1/24 masquerade;
+		oif != lo ip6 saddr fd10:10:10::1/64 masquerade;
+	}
+}
diff --git a/packer/rootfs/etc/ssh/sshd_config b/packer/rootfs/etc/ssh/sshd_config
index 6b959a9..86705df 100644
--- a/packer/rootfs/etc/ssh/sshd_config
+++ b/packer/rootfs/etc/ssh/sshd_config
@@ -2,7 +2,7 @@ Protocol                        2
 HostKey                         /etc/ssh/ssh_host_ed25519_key
 HostKey                         /etc/ssh/ssh_host_rsa_key
 ListenAddress                   0.0.0.0
-Port                            22
+Port                            122
 UseDNS                          no
 UsePAM                          yes
 X11Forwarding                   no
diff --git a/packer/rootfs/etc/sysctl.d/60-forwarding.conf b/packer/rootfs/etc/sysctl.d/60-forwarding.conf
new file mode 100644
index 0000000..5603fed
--- /dev/null
+++ b/packer/rootfs/etc/sysctl.d/60-forwarding.conf
@@ -0,0 +1,3 @@
+net.ipv4.ip_forward=1
+net.ipv6.conf.all.forwarding=1
+net.ipv6.conf.default.forwarding=1
diff --git a/packer/rootfs/etc/wireguard/wg0.conf b/packer/rootfs/etc/wireguard/wg0.conf
index 3b9aaff..c032d94 100644
--- a/packer/rootfs/etc/wireguard/wg0.conf
+++ b/packer/rootfs/etc/wireguard/wg0.conf
@@ -8,29 +8,5 @@ PostUp = wg set '%i' private-key '/etc/wireguard/%i-privatekey'
 # Load peers
 PostUp = [ -e '/etc/wireguard/%i-peers.conf' ] || (umask 022 && touch '/etc/wireguard/%i-peers.conf')
 PostUp = wg addconf '%i' '/etc/wireguard/%i-peers.conf'
-# Enable IPv4/IPv6 forwarding
-PostUp = grep -Fxq 1 /proc/sys/net/ipv4/ip_forward              || printf 1 > /proc/sys/net/ipv4/ip_forward
-PostUp = grep -Fxq 1 /proc/sys/net/ipv6/conf/all/forwarding     || printf 1 > /proc/sys/net/ipv6/conf/all/forwarding
-PostUp = grep -Fxq 1 /proc/sys/net/ipv6/conf/default/forwarding || printf 1 > /proc/sys/net/ipv6/conf/default/forwarding
-# Store the internet-facing interface in a file for later use
-PostUp = ip route show default 0.0.0.0/0 | awk '/^default/{print $5}' > /etc/wireguard/default-iface
-# Allow access WireGuard via port 51820/UDP on the internet-facing interface
-PostUp   = iptables  -A INPUT -i "$(cat /etc/wireguard/default-iface)" -p udp --dport 51820 -j ACCEPT
-PostUp   = ip6tables -A INPUT -i "$(cat /etc/wireguard/default-iface)" -p udp --dport 51820 -j ACCEPT
-PostDown = iptables  -D INPUT -i "$(cat /etc/wireguard/default-iface)" -p udp --dport 51820 -j ACCEPT
-PostDown = ip6tables -D INPUT -i "$(cat /etc/wireguard/default-iface)" -p udp --dport 51820 -j ACCEPT
-# Allow access WireGuard via port 53/UDP on the internet-facing interface (to circumvent some firewalls)
-PostUp   = iptables  -t nat -A PREROUTING -i "$(cat /etc/wireguard/default-iface)" -p udp --dport 53 -j REDIRECT --to-port 51820
-PostUp   = ip6tables -t nat -A PREROUTING -i "$(cat /etc/wireguard/default-iface)" -p udp --dport 53 -j REDIRECT --to-port 51820
-PostDown = iptables  -t nat -D PREROUTING -i "$(cat /etc/wireguard/default-iface)" -p udp --dport 53 -j REDIRECT --to-port 51820
-PostDown = ip6tables -t nat -D PREROUTING -i "$(cat /etc/wireguard/default-iface)" -p udp --dport 53 -j REDIRECT --to-port 51820
-# Allow packet forwarding on the WireGuard interface
-PostUp   = iptables  -A FORWARD -i '%i' -j ACCEPT && iptables  -t nat -A POSTROUTING -o "$(cat /etc/wireguard/default-iface)" -j MASQUERADE
-PostUp   = ip6tables -A FORWARD -i '%i' -j ACCEPT && ip6tables -t nat -A POSTROUTING -o "$(cat /etc/wireguard/default-iface)" -j MASQUERADE
-PostDown = iptables  -D FORWARD -i '%i' -j ACCEPT && iptables  -t nat -D POSTROUTING -o "$(cat /etc/wireguard/default-iface)" -j MASQUERADE
-PostDown = ip6tables -D FORWARD -i '%i' -j ACCEPT && ip6tables -t nat -D POSTROUTING -o "$(cat /etc/wireguard/default-iface)" -j MASQUERADE
-# Allow access to the local DNS server on the WireGuard interface
-PostUp   = iptables  -A INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && iptables  -A INPUT -i '%i' -p udp --dport 53 -j ACCEPT
-PostUp   = ip6tables -A INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && ip6tables -A INPUT -i '%i' -p udp --dport 53 -j ACCEPT
-PostDown = iptables  -D INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && iptables  -D INPUT -i '%i' -p udp --dport 53 -j ACCEPT
-PostDown = ip6tables -D INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && ip6tables -D INPUT -i '%i' -p udp --dport 53 -j ACCEPT
+# Reload nftables
+PostUp = nft -f /etc/nftables.conf