roles/common: Retab nftables.conf.j2

This commit is contained in:
Alan Orth 2021-07-27 22:03:23 +03:00
parent a74d6dfc08
commit 8bc2b6f493
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9

View File

@ -13,20 +13,20 @@ include "/etc/nftables/spamhaus-ipv6.nft"
# - tables hold chains, chains hold rules # - tables hold chains, chains hold rules
# - inet is for both ipv4 and ipv6 # - inet is for both ipv4 and ipv6
table inet filter { table inet filter {
set spamhaus-ipv4 { set spamhaus-ipv4 {
type ipv4_addr type ipv4_addr
# if the set contains prefixes we need to use the interval flag # if the set contains prefixes we need to use the interval flag
flags interval flags interval
elements = $SPAMHAUS_IPV4 elements = $SPAMHAUS_IPV4
} }
set spamhaus-ipv6 { set spamhaus-ipv6 {
type ipv6_addr type ipv6_addr
flags interval flags interval
elements = $SPAMHAUS_IPV6 elements = $SPAMHAUS_IPV6
} }
chain input { chain input {
type filter hook input priority 0; type filter hook input priority 0;
# Allow traffic from established and related packets. # Allow traffic from established and related packets.
@ -74,14 +74,14 @@ table inet filter {
# everything else # everything else
reject with icmpx type port-unreachable reject with icmpx type port-unreachable
} }
chain forward { chain forward {
type filter hook forward priority 0; type filter hook forward priority 0;
} }
chain output { chain output {
type filter hook output priority 0; type filter hook output priority 0;
# Drop outgoing packets matching the spamhaus sets too # Drop outgoing packets matching the spamhaus sets too
ip daddr @spamhaus-ipv4 counter drop ip daddr @spamhaus-ipv4 counter drop
ip6 daddr @spamhaus-ipv6 counter drop ip6 daddr @spamhaus-ipv6 counter drop
} }
} }