ansible-personal/roles/common/templates/nftables.conf.j2

66 lines
1.8 KiB
Plaintext
Raw Normal View History

#!/usr/sbin/nft -f
#
# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
#
flush ruleset
# Lists updated daily by update-spamhaus-nftables.sh
include "/etc/nftables/spamhaus-ipv4.nft"
include "/etc/nftables/spamhaus-ipv6.nft"
# Notes:
# - tables hold chains, chains hold rules
# - inet is for both ipv4 and ipv6
table inet filter {
set spamhaus-ipv4 {
type ipv4_addr
# if the set contains prefixes we need to use the interval flag
flags interval
elements = $SPAMHAUS_IPV4
}
set spamhaus-ipv6 {
type ipv6_addr
flags interval
elements = $SPAMHAUS_IPV6
}
chain input {
type filter hook input priority 0;
# Allow traffic from established and related packets.
ct state {established, related} accept
# Drop invalid packets.
ct state invalid counter drop
# Drop packets matching the spamhaus sets early.
ip saddr @spamhaus-ipv4 counter drop
ip6 saddr @spamhaus-ipv6 counter drop
# Allow loopback traffic.
iifname lo accept
# Allow all ICMP and IGMP traffic, but enforce a rate limit
# to help prevent some types of flood attacks.
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
ip saddr 172.20.0.1 ct state new tcp dport 22 counter accept
# everything else
reject with icmpx type port-unreachable
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
# Drop outgoing packets matching the spamhaus sets too
ip daddr @spamhaus-ipv4 counter drop
ip6 daddr @spamhaus-ipv6 counter drop
}
}