vidhar: nftables...

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-08 17:59:52 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-08 17:59:52 +0100
commit: 8124337c5182b02e3057ebde1213050d4a714a0f (patch)
tree: 75ca0a216c5bacefdff73640f1ec86e6a3f85dd9 /hosts/vidhar/ruleset.nft
parent: fb7cd0220c908408910d26b9823acef9fe2b39e2 (diff)
download: nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar
nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.gz
nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.bz2
nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.xz
nixos-8124337c5182b02e3057ebde1213050d4a714a0f.zip
1 files changed, 71 insertions, 0 deletions
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
new file mode 100644
index 00000000..ae91af00
--- /dev/null
+++ b/hosts/vidhar/ruleset.nft
@@ -0,0 +1,71 @@
+table inet filter {
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+    iifname eno1 accept
+    ct state {established, related} accept
+    meta l4proto ipv6-icmp accept
+    meta l4proto icmp accept
+    meta l4proto igmp accept
+    log prefix "drop forward:"
+    counter
+  }
+  chain input {
+    type filter hook input priority filter
+    policy drop
+    iifname lo accept
+    iif != lo ip daddr 127.0.0.1/8 counter drop
+    iif != lo ip6 daddr ::1/128 counter drop
+    ct state {established, related} accept
+    tcp dport 22 accept
+    udp dport 51820 accept
+    udp dport 60000-61000 accept
+    meta l4proto ipv6-icmp accept
+    meta l4proto icmp accept
+    meta l4proto igmp accept
+    log prefix "drop input:"
+    counter
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    counter
+  }
+}
+table ip nat {
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+    oifname dsl counter masquerade
+    counter
+  }
+}
+table inet mangle {
+  chain postrouting {
+    type filter hook postrouting priority mangle
+    policy accept
+    oifname dsl meta l4proto tcp tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
+    counter
+  }
+}
+\ No newline at end of file
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-08 17:59:52 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-08 17:59:52 +0100
commit	8124337c5182b02e3057ebde1213050d4a714a0f (patch)
tree	75ca0a216c5bacefdff73640f1ec86e6a3f85dd9 /hosts/vidhar/ruleset.nft
parent	fb7cd0220c908408910d26b9823acef9fe2b39e2 (diff)
download	nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.gz nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.bz2 nixos-8124337c5182b02e3057ebde1213050d4a714a0f.tar.xz nixos-8124337c5182b02e3057ebde1213050d4a714a0f.zip

diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft new file mode 100644 index 00000000..ae91af00 --- /dev/null +++ b/hosts/vidhar/ruleset.nft
@@ -0,0 +1,71 @@
	1	table inet filter {
	2	chain forward {
	3	type filter hook forward priority filter
	4	policy drop
	5
	6
	7	iifname eno1 accept
	8
	9	ct state {established, related} accept
	10
	11	meta l4proto ipv6-icmp accept
	12	meta l4proto icmp accept
	13	meta l4proto igmp accept
	14
	15
	16	log prefix "drop forward:"
	17	counter
	18	}
	19
	20	chain input {
	21	type filter hook input priority filter
	22	policy drop
	23
	24
	25	iifname lo accept
	26	iif != lo ip daddr 127.0.0.1/8 counter drop
	27	iif != lo ip6 daddr ::1/128 counter drop
	28
	29	ct state {established, related} accept
	30
	31	tcp dport 22 accept
	32	udp dport 51820 accept
	33	udp dport 60000-61000 accept
	34
	35	meta l4proto ipv6-icmp accept
	36	meta l4proto icmp accept
	37	meta l4proto igmp accept
	38
	39	log prefix "drop input:"
	40	counter
	41	}
	42
	43	chain output {
	44	type filter hook output priority filter
	45	policy accept
	46
	47	counter
	48	}
	49	}
	50
	51	table ip nat {
	52	chain postrouting {
	53	type nat hook postrouting priority srcnat
	54	policy accept
	55
	56	oifname dsl counter masquerade
	57
	58	counter
	59	}
	60	}
	61
	62	table inet mangle {
	63	chain postrouting {
	64	type filter hook postrouting priority mangle
	65	policy accept
	66
	67	oifname dsl meta l4proto tcp tcp flags & (syn\|rst) == syn counter tcp option maxseg size set rt mtu
	68
	69	counter
	70	}
	71	} \ No newline at end of file