Network
/
2024
9
0
Fork 0
Code Issues 33 Pull Requests Packages Projects Releases Wiki Activity
2024/automation/ansible/roles/firewall/templates/nftables.conf.j2

39 lines
837 B
Django/Jinja
Raw Blame History

#!/usr/sbin/nft -f
flush ruleset
include "/etc/nftables/global.d/*.nft";
table inet filter {
include "/etc/nftables/filter.d/*.nft";
chain input {
type filter hook input priority filter; policy {{ firewall.input_policy | default('drop') }};
iif lo accept
# Anti-klonootryazvane
tcp dport ssh accept
ct state established,related accept
# Don't block ICMP
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
include "/etc/nftables/input.d/*.nft";
# Should we reject or drop?
ip protocol tcp reject with tcp reset
ip6 nexthdr tcp reject with tcp reset
reject
}
chain forward {
type filter hook forward priority filter; policy {{ firewall.forward_policy | default('drop') }};
}
chain output {
type filter hook output priority filter; policy {{ firewall.output_policy | default('accept') }};
}
}
Reference in New Issue View Git Blame Copy Permalink