roles/common: rework firewall
Use firehol instead of all the others. AbuseIPDB.com can't be upd- ated automatically, Abuse.ch is no longer maintained, and Spamhaus is already in firehol.
This commit is contained in:
@ -5,47 +5,18 @@
|
||||
|
||||
flush ruleset
|
||||
|
||||
# Lists updated daily by update-spamhaus-nftables.sh
|
||||
include "/etc/nftables/spamhaus-ipv4.nft"
|
||||
include "/etc/nftables/spamhaus-ipv6.nft"
|
||||
|
||||
# Lists updated monthly (manually)
|
||||
include "/etc/nftables/abuseipdb-ipv4.nft"
|
||||
include "/etc/nftables/abuseipdb-ipv6.nft"
|
||||
|
||||
# Lists updated daily by update-abusech-nftables.sh
|
||||
include "/etc/nftables/abusech-ipv4.nft"
|
||||
# List updated daily by update-firehol-nftables.sh
|
||||
include "/etc/nftables/firehol_level1-ipv4.nft"
|
||||
|
||||
# Notes:
|
||||
# - tables hold chains, chains hold rules
|
||||
# - inet is for both ipv4 and ipv6
|
||||
table inet filter {
|
||||
set spamhaus-ipv4 {
|
||||
set firehol_level1-ipv4 {
|
||||
type ipv4_addr
|
||||
# if the set contains prefixes we need to use the interval flag
|
||||
flags interval
|
||||
elements = $SPAMHAUS_IPV4
|
||||
}
|
||||
|
||||
set spamhaus-ipv6 {
|
||||
type ipv6_addr
|
||||
flags interval
|
||||
elements = $SPAMHAUS_IPV6
|
||||
}
|
||||
|
||||
set abusech-ipv4 {
|
||||
type ipv4_addr
|
||||
elements = $ABUSECH_IPV4
|
||||
}
|
||||
|
||||
set abuseipdb-ipv4 {
|
||||
type ipv4_addr
|
||||
elements = $ABUSEIPDB_IPV4
|
||||
}
|
||||
|
||||
set abuseipdb-ipv6 {
|
||||
type ipv6_addr
|
||||
elements = $ABUSEIPDB_IPV6
|
||||
elements = $FIREHOL_LEVEL1_IPV4
|
||||
}
|
||||
|
||||
chain input {
|
||||
@ -55,13 +26,7 @@ table inet filter {
|
||||
|
||||
ct state invalid counter drop comment "Early drop of invalid connections"
|
||||
|
||||
ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
|
||||
ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
|
||||
|
||||
ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
|
||||
|
||||
ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
|
||||
ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
|
||||
ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
|
||||
|
||||
iifname lo accept comment "Allow from loopback"
|
||||
|
||||
@ -105,12 +70,6 @@ table inet filter {
|
||||
chain output {
|
||||
type filter hook output priority 0;
|
||||
|
||||
ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
|
||||
ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
|
||||
|
||||
ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
|
||||
|
||||
ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
|
||||
ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
|
||||
ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
|
||||
}
|
||||
}
|
||||
|
Reference in New Issue
Block a user