roles/common: Add comments to nftables.conf

This commit is contained in:
Alan Orth 2021-07-30 09:37:30 +03:00
parent debcb21161
commit 7ae100faeb
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9

View File

@ -37,38 +37,31 @@ table inet filter {
chain input {
type filter hook input priority 0;
# Allow traffic from established and related packets.
ct state {established, related} accept
ct state {established, related} accept comment "Allow traffic from established and related packets"
# Drop invalid packets.
ct state invalid counter drop
ct state invalid counter drop comment "Early drop of invalid connections"
# Drop packets matching the spamhaus sets early.
ip saddr @spamhaus-ipv4 counter drop
ip6 saddr @spamhaus-ipv6 counter drop
ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
# Drop packets matching the abusech set early.
ip saddr @abusech-ipv4 counter drop
ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
# Allow loopback traffic.
iifname lo accept
iifname lo accept comment "Allow from loopback"
# Allow all ICMP and IGMP traffic, but enforce a rate limit
# to help prevent some types of flood attacks.
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
ip protocol icmp limit rate 4/second accept comment "Allow ICMP"
ip6 nexthdr ipv6-icmp limit rate 4/second accept comment "Allow IPv6 ICMP"
ip protocol igmp limit rate 4/second accept comment "Allow IGMP"
{# SSH rules #}
ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept
ip6 saddr ::/0 ct state new tcp dport 22 counter accept
ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
ip6 saddr ::/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
{# Web rules #}
{% if 'web' in group_names %}
ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept
ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept
ip6 saddr ::/0 ct state new tcp dport 80 counter accept
ip6 saddr ::/0 ct state new tcp dport 443 counter accept
ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
ip6 saddr ::/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
{% endif %}
{# Extra rules #}
@ -91,11 +84,10 @@ table inet filter {
}
chain output {
type filter hook output priority 0;
# Drop outgoing packets matching the spamhaus sets too
ip daddr @spamhaus-ipv4 counter drop
ip6 daddr @spamhaus-ipv6 counter drop
# Drop outgoing packets matching the abusech sets too
ip daddr @abusech-ipv4 counter drop
ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
}
}