bundlewrap/bundles/nftables/files/nftables.conf

82 lines
1.6 KiB
Text

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0
policy drop
tcp flags syn tcp option maxseg size 1-500 drop
ct state { established, related } accept
ct state invalid drop
iif lo accept
% for address in sorted(blocked_v4):
ip saddr ${address} drop
% endfor
% for address in sorted(blocked_v6):
ip6 saddr ${address} drop
% endfor
icmp type timestamp-request drop
icmp type timestamp-reply drop
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
% for ruleset, rules in sorted(input.items()):
# ${ruleset}
% for rule in rules:
${rule}
% endfor
% endfor
}
chain output {
type filter hook output priority 0
policy accept
}
chain forward {
type filter hook forward priority 0
policy drop
icmp type timestamp-request drop
icmp type timestamp-reply drop
% for ruleset, rules in sorted(forward.items()):
# ${ruleset}
% for rule in rules:
${rule}
% endfor
% endfor
}
}
table nat {
chain prerouting {
type nat hook prerouting priority -100
% for ruleset, rules in sorted(prerouting.items()):
# ${ruleset}
% for rule in rules:
${rule}
% endfor
% endfor
}
chain postrouting {
type nat hook postrouting priority 100
% for ruleset, rules in sorted(postrouting.items()):
# ${ruleset}
% for rule in rules:
${rule}
% endfor
% endfor
}
}
include "/etc/nftables-rules.d/*-*"