From 8124337c5182b02e3057ebde1213050d4a714a0f Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Wed, 8 Dec 2021 17:59:52 +0100
Subject: vidhar: nftables...

---
 hosts/vidhar/ruleset.nft | 71 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 hosts/vidhar/ruleset.nft

(limited to 'hosts/vidhar/ruleset.nft')

diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
new file mode 100644
index 00000000..ae91af00
--- /dev/null
+++ b/hosts/vidhar/ruleset.nft
@@ -0,0 +1,71 @@
+table inet filter {
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+
+
+    iifname eno1 accept
+
+    ct state {established, related} accept
+
+    meta l4proto ipv6-icmp accept
+    meta l4proto icmp accept
+    meta l4proto igmp accept
+
+
+    log prefix "drop forward:"
+    counter
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy drop
+
+
+    iifname lo accept
+    iif != lo ip daddr 127.0.0.1/8 counter drop
+    iif != lo ip6 daddr ::1/128 counter drop
+
+    ct state {established, related} accept
+
+    tcp dport 22 accept
+    udp dport 51820 accept
+    udp dport 60000-61000 accept
+
+    meta l4proto ipv6-icmp accept
+    meta l4proto icmp accept
+    meta l4proto igmp accept
+
+    log prefix "drop input:"
+    counter
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+    counter
+  }
+}
+
+table ip nat {
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+
+    oifname dsl counter masquerade
+
+    counter
+  }
+}
+
+table inet mangle {
+  chain postrouting {
+    type filter hook postrouting priority mangle
+    policy accept
+
+    oifname dsl meta l4proto tcp tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
+
+    counter
+  }
+}
\ No newline at end of file
-- 
cgit v1.2.3