Merge branch 'nftables/first-commit'

2024-06-18 23:40:41 +02:00 · 2024-06-18 23:40:41 +02:00 · 1a038c2226
parent 9113d2f9a7 2345071c71
commit 1a038c2226
1 changed files with 60 additions and 0 deletions
--- a/playbooks/files/nftables.conf
+++ b/playbooks/files/nftables.conf
@ -0,0 +1,60 @@
+#!/usr/sbin/nft -f
+
+#flush ruleset
+
+table ip filter {
+	chain INPUT {
+		type filter hook input priority 0; policy drop;
+		ct state related,established accept
+		meta l4proto ipv6-icmp accept
+		meta l4proto icmp accept
+
+		meta l4proto udp udp dport 53 accept
+
+		udp dport 53 accept
+		tcp dport 53 accept
+
+		udp dport 6666 accept
+		udp dport 51280 accept
+
+		tcp dport 6073 accept
+		tcp dport 443 accept
+		tcp dport 80 accept
+		tcp dport 22 accept
+
+		ip saddr 127.0.0.0/8 accept
+	}
+	chain FORWARD {
+		type filter hook forward priority 0; policy drop;
+	}
+	chain OUTPUT {
+		type filter hook output priority 0; policy accept;
+		tcp sport 25 drop
+	}
+}
+
+table ip6 filter {
+	chain INPUT {
+		type filter hook input priority 0; policy drop;
+		ct state related,established accept
+		meta l4proto ipv6-icmp accept
+
+		udp dport 53 accept
+		tcp dport 53 accept
+
+		tcp dport 6073 accept
+		tcp dport 443 accept
+		tcp dport 80 accept
+		tcp dport 22 accept
+
+		ip6 saddr ::1/128 accept
+		ip6 saddr 2001:470:c844::/48 accept
+	}
+	chain FORWARD {
+		type filter hook forward priority 0; policy accept;
+	}
+	chain OUTPUT {
+		type filter hook output priority 0; policy accept;
+		tcp sport 25 drop
+	}
+}