nftables.conf tidyup
This commit is contained in:
parent
bc1d3bdec3
commit
f19d604213
SSH key fingerprint:
SHA256:v0410ZKfuO1QHdgKBsdQNF64xmTxOF8osF1LIqwTcVw
1 changed files with 21 additions and 34 deletions
|
|
@ -6,60 +6,47 @@ table inet filter {
|
||||||
|
|
||||||
# INPUT
|
# INPUT
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 0;
|
type filter hook input priority 0
|
||||||
policy drop;
|
policy drop
|
||||||
|
|
||||||
# Allow traffic from established and related packets, drop invalid
|
# allow loopback
|
||||||
ct state vmap { established : accept, related : accept, invalid : drop }
|
|
||||||
|
|
||||||
# Allow loopback traffic.
|
|
||||||
iifname lo accept
|
iifname lo accept
|
||||||
|
# allow established
|
||||||
# accepting ping (icmp-echo-request) for diagnostic purposes.
|
ct state vmap { established : accept, related : accept, invalid : drop }
|
||||||
icmp type echo-request limit rate 5/second accept
|
# allow ping
|
||||||
|
icmp type echo-request accept
|
||||||
|
icmpv6 type echo-request accept
|
||||||
|
# allow neighbour discovery
|
||||||
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
||||||
|
|
||||||
# Jump to chain according to layer 3 protocol using a verdict map
|
# rules
|
||||||
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
|
|
||||||
|
|
||||||
#rules
|
|
||||||
% for rule in sorted(input):
|
% for rule in sorted(input):
|
||||||
${rule}
|
${rule}
|
||||||
% endfor
|
% endfor
|
||||||
}
|
|
||||||
|
|
||||||
chain inbound_ipv4 {
|
|
||||||
# accepting ping (icmp-echo-request) for diagnostic purposes.
|
|
||||||
icmp type echo-request limit rate 5/second accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain inbound_ipv6 {
|
|
||||||
# accept neighbour discovery otherwise connectivity breaks
|
|
||||||
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
|
||||||
|
|
||||||
# accepting ping (icmpv6-echo-request) for diagnostic purposes.
|
|
||||||
icmpv6 type echo-request limit rate 5/second accept
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# FORWARD
|
# FORWARD
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
type filter hook forward priority 0;
|
type filter hook forward priority 0
|
||||||
|
policy accept
|
||||||
|
|
||||||
#rules
|
# rules
|
||||||
% for rule in sorted(forward):
|
% for rule in sorted(forward):
|
||||||
${rule}
|
${rule}
|
||||||
% endfor
|
% endfor
|
||||||
}
|
}
|
||||||
|
|
||||||
# OUTPUT
|
# OUTPUT
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority 0;
|
type filter hook output priority 0
|
||||||
|
policy accept
|
||||||
|
|
||||||
|
# rules
|
||||||
% for rule in sorted(output):
|
% for rule in sorted(output):
|
||||||
${rule}
|
${rule}
|
||||||
% endfor
|
% endfor
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue