From 4a5262a5d1039265cd3cbbfdacadfd97535d60bb Mon Sep 17 00:00:00 2001 From: giomba Date: Tue, 18 Jun 2024 23:20:41 +0200 Subject: [PATCH 1/2] nftables: add configuration file. --- files/nftables.conf | 61 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 files/nftables.conf diff --git a/files/nftables.conf b/files/nftables.conf new file mode 100644 index 0000000..c41dd3d --- /dev/null +++ b/files/nftables.conf @@ -0,0 +1,61 @@ +#!/usr/sbin/nft -f + +#flush ruleset + +table ip filter { + chain INPUT { + type filter hook input priority 0; policy drop; + ct state related,established accept + meta l4proto ipv6-icmp accept + meta l4proto icmp accept + + meta l4proto udp udp dport 53 accept + + udp dport 53 accept + tcp dport 53 accept + + udp dport 6666 accept + udp dport 51280 accept + + tcp dport 6073 accept + tcp dport 443 accept + tcp dport 80 accept + tcp dport 22 accept + + ip saddr 127.0.0.0/8 accept + } + chain FORWARD { + type filter hook forward priority 0; policy drop; + } + chain OUTPUT { + type filter hook output priority 0; policy accept; + tcp sport 25 drop + } +} + +table ip6 filter { + chain INPUT { + type filter hook input priority 0; policy drop; + ct state related,established accept + meta l4proto ipv6-icmp accept + + udp dport 53 accept + tcp dport 53 accept + + tcp dport 6073 accept + tcp dport 443 accept + tcp dport 80 accept + tcp dport 22 accept + + ip6 saddr ::1/128 accept + ip6 saddr 2001:470:c844::/48 accept + } + chain FORWARD { + type filter hook forward priority 0; policy accept; + } + chain OUTPUT { + type filter hook output priority 0; policy accept; + tcp sport 25 drop + } +} + From 2345071c71e592c151a1e29606b43b86be248184 Mon Sep 17 00:00:00 2001 From: Lan Quil Date: Tue, 18 Jun 2024 23:40:23 +0200 Subject: [PATCH 2/2] Move nftables.conf to files dir --- {files => playbooks/files}/nftables.conf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) rename {files => playbooks/files}/nftables.conf (97%) diff --git a/files/nftables.conf b/playbooks/files/nftables.conf similarity index 97% rename from files/nftables.conf rename to playbooks/files/nftables.conf index c41dd3d..9239d58 100644 --- a/files/nftables.conf +++ b/playbooks/files/nftables.conf @@ -16,9 +16,9 @@ table ip filter { udp dport 6666 accept udp dport 51280 accept - + tcp dport 6073 accept - tcp dport 443 accept + tcp dport 443 accept tcp dport 80 accept tcp dport 22 accept @@ -58,4 +58,3 @@ table ip6 filter { tcp sport 25 drop } } -