12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788 |
- (define-module (nftables)
- #:export (
- %gnucode-nftables-ruleset
- ))
- (define %gnucode-nftables-ruleset
- "
- flush ruleset
- table inet my_table {
- set LANv4 {
- type ipv4_addr
- flags interval
- elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
- }
- set LANv6 {
- type ipv6_addr
- flags interval
- elements = { fd00::/8, fe80::/10 }
- }
- chain my_input_lan {
- # accept Accept NFS
- # meta l4proto { tcp, udp } th dport 2049
- # accept PXE
- # udp sport { bootpc, 4011 } udp dport { bootps, 4011 } accept
- # accept tftp
- # udp dport tftp accept
- }
- chain my_input {
- type filter hook input priority filter; policy drop;
- # accept localhost traffic
- iif lo accept
- # drop invalid connections
- ct state invalid drop
- # accept traffic originated from us
- ct state established,related accept
- # accept ICMPv6
- meta l4proto ipv6-icmp accept
- # accept ICMP
- meta l4proto icmp accept
- # accept igmp
- ip protocol igmp accept
- # accept mdns
- udp dport mdns ip6 daddr ff02::fb accept
- # accept mdns
- udp dport mdns ip daddr 224.0.0.251 accept
- # accept private ip ranges
- ip6 saddr @LANv6 jump my_input_lan
- ip saddr @LANv4 jump my_input_lan
- # allow ssh access
- tcp dport ssh accept
- # allow IPP/IPPs whatever that is
- # tcp dport ipp accept
- # allow http and https
- tcp dport { http, https, 8008, 8080 } accept
- # Accept DHCPDISCOVER (for DHCP-Proxy)
- udp sport bootpc udp dport bootps ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept
- }
- chain my_forward {
- type filter hook forward priority filter; policy drop;
- # Drop everything forwarded to us. We do not forward. That is routers job.
- }
- chain my_output {
- type filter hook output priority filter; policy accept;
- # Accept every outbound connection
- }
- }
- ")
|