roles/common: Add comments to nftables.conf
This commit is contained in:
parent
debcb21161
commit
7ae100faeb
GPG Key ID:
0FB860CC9C45B1B9
@ -37,38 +37,31 @@ table inet filter {
|
|||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 0;
|
type filter hook input priority 0;
|
||||||
|
|
||||||
# Allow traffic from established and related packets.
|
ct state {established, related} accept comment "Allow traffic from established and related packets"
|
||||||
ct state {established, related} accept
|
|
||||||
|
|
||||||
# Drop invalid packets.
|
ct state invalid counter drop comment "Early drop of invalid connections"
|
||||||
ct state invalid counter drop
|
|
||||||
|
|
||||||
# Drop packets matching the spamhaus sets early.
|
ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
|
||||||
ip saddr @spamhaus-ipv4 counter drop
|
ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
|
||||||
ip6 saddr @spamhaus-ipv6 counter drop
|
|
||||||
|
|
||||||
# Drop packets matching the abusech set early.
|
ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
|
||||||
ip saddr @abusech-ipv4 counter drop
|
|
||||||
|
|
||||||
# Allow loopback traffic.
|
iifname lo accept comment "Allow from loopback"
|
||||||
iifname lo accept
|
|
||||||
|
|
||||||
# Allow all ICMP and IGMP traffic, but enforce a rate limit
|
ip protocol icmp limit rate 4/second accept comment "Allow ICMP"
|
||||||
# to help prevent some types of flood attacks.
|
ip6 nexthdr ipv6-icmp limit rate 4/second accept comment "Allow IPv6 ICMP"
|
||||||
ip protocol icmp limit rate 4/second accept
|
ip protocol igmp limit rate 4/second accept comment "Allow IGMP"
|
||||||
ip6 nexthdr ipv6-icmp limit rate 4/second accept
|
|
||||||
ip protocol igmp limit rate 4/second accept
|
|
||||||
|
|
||||||
{# SSH rules #}
|
{# SSH rules #}
|
||||||
ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept
|
ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
|
||||||
ip6 saddr ::/0 ct state new tcp dport 22 counter accept
|
ip6 saddr ::/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
|
||||||
|
|
||||||
{# Web rules #}
|
{# Web rules #}
|
||||||
{% if 'web' in group_names %}
|
{% if 'web' in group_names %}
|
||||||
ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept
|
ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
|
||||||
ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept
|
ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
|
||||||
ip6 saddr ::/0 ct state new tcp dport 80 counter accept
|
ip6 saddr ::/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
|
||||||
ip6 saddr ::/0 ct state new tcp dport 443 counter accept
|
ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{# Extra rules #}
|
{# Extra rules #}
|
||||||
@ -91,11 +84,10 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority 0;
|
type filter hook output priority 0;
|
||||||
# Drop outgoing packets matching the spamhaus sets too
|
|
||||||
ip daddr @spamhaus-ipv4 counter drop
|
|
||||||
ip6 daddr @spamhaus-ipv6 counter drop
|
|
||||||
|
|
||||||
# Drop outgoing packets matching the abusech sets too
|
ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
|
||||||
ip daddr @abusech-ipv4 counter drop
|
ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
|
||||||
|
|
||||||
|
ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user