nftables.conf tidyup
This commit is contained in:
parent
bc1d3bdec3
commit
f19d604213
SSH key fingerprint:
SHA256:v0410ZKfuO1QHdgKBsdQNF64xmTxOF8osF1LIqwTcVw
1 changed files with 21 additions and 34 deletions
|
|
@ -6,60 +6,47 @@ table inet filter {
|
|||
|
||||
# INPUT
|
||||
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
policy drop;
|
||||
chain input {
|
||||
type filter hook input priority 0
|
||||
policy drop
|
||||
|
||||
# Allow traffic from established and related packets, drop invalid
|
||||
ct state vmap { established : accept, related : accept, invalid : drop }
|
||||
|
||||
# Allow loopback traffic.
|
||||
# allow loopback
|
||||
iifname lo accept
|
||||
|
||||
# accepting ping (icmp-echo-request) for diagnostic purposes.
|
||||
icmp type echo-request limit rate 5/second accept
|
||||
# allow established
|
||||
ct state vmap { established : accept, related : accept, invalid : drop }
|
||||
# allow ping
|
||||
icmp type echo-request accept
|
||||
icmpv6 type echo-request accept
|
||||
# allow neighbour discovery
|
||||
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
||||
|
||||
# Jump to chain according to layer 3 protocol using a verdict map
|
||||
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
|
||||
|
||||
#rules
|
||||
# rules
|
||||
% for rule in sorted(input):
|
||||
${rule}
|
||||
% endfor
|
||||
}
|
||||
|
||||
chain inbound_ipv4 {
|
||||
# accepting ping (icmp-echo-request) for diagnostic purposes.
|
||||
icmp type echo-request limit rate 5/second accept
|
||||
}
|
||||
|
||||
chain inbound_ipv6 {
|
||||
# accept neighbour discovery otherwise connectivity breaks
|
||||
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
||||
|
||||
# accepting ping (icmpv6-echo-request) for diagnostic purposes.
|
||||
icmpv6 type echo-request limit rate 5/second accept
|
||||
}
|
||||
|
||||
# FORWARD
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority 0;
|
||||
chain forward {
|
||||
type filter hook forward priority 0
|
||||
policy accept
|
||||
|
||||
#rules
|
||||
# rules
|
||||
% for rule in sorted(forward):
|
||||
${rule}
|
||||
% endfor
|
||||
}
|
||||
}
|
||||
|
||||
# OUTPUT
|
||||
|
||||
chain output {
|
||||
type filter hook output priority 0;
|
||||
chain output {
|
||||
type filter hook output priority 0
|
||||
policy accept
|
||||
|
||||
# rules
|
||||
% for rule in sorted(output):
|
||||
${rule}
|
||||
% endfor
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue