bundlewrap/bundles/nftables/files/nftables.conf

82 lines
1.5 KiB
Text
Raw Normal View History

2021-11-26 17:36:16 +00:00
#!/usr/sbin/nft -f
2021-06-03 11:57:50 +00:00
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0
policy drop
tcp flags syn tcp option maxseg size 1-500 drop
ct state { established, related } accept
ct state invalid drop
iif lo accept
% for address in sorted(blocked_v4):
ip saddr ${address} drop
% endfor
% for address in sorted(blocked_v6):
ip6 saddr ${address} drop
% endfor
2021-06-03 11:57:50 +00:00
icmp type timestamp-request drop
icmp type timestamp-reply drop
meta l4proto {icmp, ipv6-icmp} accept
2021-06-03 11:57:50 +00:00
2023-09-24 18:59:58 +00:00
% for ruleset, rules in sorted(input.items()):
# ${ruleset}
% for rule in rules:
${rule}
% endfor
% endfor
2021-06-03 11:57:50 +00:00
}
chain output {
type filter hook output priority 0
policy accept
}
chain forward {
type filter hook forward priority 0
policy drop
icmp type timestamp-request drop
icmp type timestamp-reply drop
2023-09-24 18:59:58 +00:00
% for ruleset, rules in sorted(forward.items()):
# ${ruleset}
% for rule in rules:
${rule}
% endfor
% endfor
2021-06-03 11:57:50 +00:00
}
}
table nat {
chain prerouting {
type nat hook prerouting priority -100
2023-09-24 18:59:58 +00:00
% for ruleset, rules in sorted(prerouting.items()):
# ${ruleset}
% for rule in rules:
${rule}
% endfor
% endfor
2021-06-03 11:57:50 +00:00
}
chain postrouting {
type nat hook postrouting priority 100
2023-09-24 18:59:58 +00:00
% for ruleset, rules in sorted(postrouting.items()):
# ${ruleset}
% for rule in rules:
${rule}
% endfor
% endfor
2021-06-03 11:57:50 +00:00
}
}
include "/etc/nftables-rules.d/*-*"