paulbsd-salt/states/nftables/templates/rules.nft.j2

## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}

{%- from "nftables/map.jinja" import nftables with context %}
{%- from "nftables/map.jinja" import net with context %}

## IPv4 filtering
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
add chain ip filter DOCKER
add rule ip filter INPUT iifname lo counter accept
add rule ip filter INPUT iifname tun* counter accept
add rule ip filter INPUT iifname br* counter accept
add rule ip filter INPUT iifname veth* counter accept
add rule ip filter INPUT iifname lxc* counter accept
add rule ip filter INPUT ct state related,established counter accept
add rule ip filter INPUT ip protocol icmp counter accept
{%- for network in net.ip_networks+net.optional_ip_networks %}
{%- if '.' in network %}
add rule ip filter INPUT ip saddr {{ network }} ct state established,new counter accept
{%- endif %}
{%- endfor %}
{%- for port in net.public_ports %}
add rule ip filter INPUT {{ port.split('/')[0] }} dport {{ port.split('/')[1] }} ct state established,new counter accept
{%- endfor %}
{%- if nftables.log %}
add rule ip filter INPUT counter log
{%- endif %}
#add rule ip filter INPUT counter log reject


## IPv4 NAT
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority dstnat; policy accept; }
add chain ip nat INPUT { type nat hook input priority 1; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority srcnat; policy accept; }
add chain ip nat DOCKER

### Main NAT rules
{%- for network in net.nats %}
add rule ip nat POSTROUTING ip saddr {{ network }} counter masquerade
{%- endfor %}

### Docker related rules
add rule ip nat POSTROUTING oifname != "docker0" ip saddr 172.17.0.0/24 counter masquerade
add rule ip nat PREROUTING fib daddr type local counter jump DOCKER
add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
add rule ip nat POSTROUTING iifname br-* counter masquerade
add rule ip nat POSTROUTING iifname veth* counter masquerade
add rule ip nat POSTROUTING iifname lxc* counter masquerade

add rule ip nat DOCKER iifname "docker0" counter return

## IPv6 filtering
add table ip6 filter6
add chain ip6 filter6 INPUT { type filter hook input priority 0; policy drop; }
add chain ip6 filter6 FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip6 filter6 OUTPUT { type filter hook output priority 0; policy accept; }
add rule ip6 filter6 INPUT iifname lo counter accept
add rule ip6 filter6 INPUT iifname tun* counter accept
add rule ip6 filter6 INPUT ct state related,established counter accept
add rule ip6 filter6 INPUT icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept
{%- for network in net.ip_networks %}
{%- if ':' in network %}
add rule ip6 filter6 INPUT ip6 saddr {{ network }} ct state established,new counter accept
{%- endif %}
{%- endfor %}
{%- for port in net.public_ports %}
add rule ip6 filter6 INPUT {{ port.split('/')[0] }} dport {{ port.split('/')[1] }} ct state established,new counter accept
{%- endfor %}
{%- if nftables.log %}
add rule ip6 filter6 INPUT counter log
{%- endif %}
#add rule ip6 filter6 INPUT counter log reject

## Endline is mandatory
updated nftables state 2022-01-06 23:18:36 +01:00			`## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}`

			`{%- from "nftables/map.jinja" import nftables with context %}`
			`{%- from "nftables/map.jinja" import net with context %}`

			`## IPv4 filtering`
			`add table ip filter`
			`add chain ip filter INPUT { type filter hook input priority 0; policy drop; }`
			`add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }`
			`add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }`
updated nftables state 2022-01-25 00:18:08 +01:00			`add chain ip filter DOCKER`
updated nftables state 2022-01-06 23:18:36 +01:00			`add rule ip filter INPUT iifname lo counter accept`
			`add rule ip filter INPUT iifname tun* counter accept`
updated nftables state 2023-06-10 10:08:50 +02:00			`add rule ip filter INPUT iifname br* counter accept`
			`add rule ip filter INPUT iifname veth* counter accept`
updated nftables state 2023-12-18 19:31:16 +01:00			`add rule ip filter INPUT iifname lxc* counter accept`
updated nftables state 2022-01-06 23:18:36 +01:00			`add rule ip filter INPUT ct state related,established counter accept`
			`add rule ip filter INPUT ip protocol icmp counter accept`
updated nftables state 2023-03-31 17:40:29 +02:00			`{%- for network in net.ip_networks+net.optional_ip_networks %}`
updated nftables state 2023-03-10 00:08:11 +01:00			`{%- if '.' in network %}`
			`add rule ip filter INPUT ip saddr {{ network }} ct state established,new counter accept`
			`{%- endif %}`
updated nftables state 2022-01-06 23:18:36 +01:00			`{%- endfor %}`
updated nftables state 2023-03-10 00:08:11 +01:00			`{%- for port in net.public_ports %}`
			`add rule ip filter INPUT {{ port.split('/')[0] }} dport {{ port.split('/')[1] }} ct state established,new counter accept`
updated nftables state 2022-01-06 23:18:36 +01:00			`{%- endfor %}`
updated nftables state 2023-01-05 00:13:40 +01:00			`{%- if nftables.log %}`
			`add rule ip filter INPUT counter log`
			`{%- endif %}`
updated nftables state 2023-12-18 19:31:16 +01:00			`#add rule ip filter INPUT counter log reject`
updated nftables state 2023-01-05 00:13:40 +01:00
updated nftables state 2022-01-06 23:18:36 +01:00
			`## IPv4 NAT`
			`add table ip nat`
updated nftables state 2022-06-08 23:50:36 +02:00			`add chain ip nat PREROUTING { type nat hook prerouting priority dstnat; policy accept; }`
updated nftables state 2022-04-03 23:02:32 +02:00			`add chain ip nat INPUT { type nat hook input priority 1; policy accept; }`
updated nftables state 2022-06-08 23:50:36 +02:00			`add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }`
			`add chain ip nat POSTROUTING { type nat hook postrouting priority srcnat; policy accept; }`
* Fixes on states - disabled iptables handling by docker - updated firewall rules template - added dependency package for ipbl 2022-03-12 00:00:02 +01:00			`add chain ip nat DOCKER`
updated nftables state 2023-01-05 00:13:40 +01:00
			`### Main NAT rules`
updated nftables state 2023-03-10 00:08:11 +01:00			`{%- for network in net.nats %}`
			`add rule ip nat POSTROUTING ip saddr {{ network }} counter masquerade`
updated nftables state 2022-01-06 23:18:36 +01:00			`{%- endfor %}`
updated nftables state 2023-01-05 00:13:40 +01:00
			`### Docker related rules`
updated nftables state 2022-06-08 23:50:36 +02:00			`add rule ip nat POSTROUTING oifname != "docker0" ip saddr 172.17.0.0/24 counter masquerade`
			`add rule ip nat PREROUTING fib daddr type local counter jump DOCKER`
* Fixes on states - disabled iptables handling by docker - updated firewall rules template - added dependency package for ipbl 2022-03-12 00:00:02 +01:00			`add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER`
updated nftables state 2023-01-05 00:13:40 +01:00			`add rule ip nat POSTROUTING iifname br-* counter masquerade`
updated nftables state 2023-12-18 19:31:16 +01:00			`add rule ip nat POSTROUTING iifname veth* counter masquerade`
			`add rule ip nat POSTROUTING iifname lxc* counter masquerade`
* Fixes on states - disabled iptables handling by docker - updated firewall rules template - added dependency package for ipbl 2022-03-12 00:00:02 +01:00
			`add rule ip nat DOCKER iifname "docker0" counter return`
updated nftables state 2022-01-06 23:18:36 +01:00
			`## IPv6 filtering`
			`add table ip6 filter6`
			`add chain ip6 filter6 INPUT { type filter hook input priority 0; policy drop; }`
			`add chain ip6 filter6 FORWARD { type filter hook forward priority 0; policy accept; }`
			`add chain ip6 filter6 OUTPUT { type filter hook output priority 0; policy accept; }`
			`add rule ip6 filter6 INPUT iifname lo counter accept`
			`add rule ip6 filter6 INPUT iifname tun* counter accept`
			`add rule ip6 filter6 INPUT ct state related,established counter accept`
			`add rule ip6 filter6 INPUT icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept`
updated nftables state 2023-03-10 00:08:11 +01:00			`{%- for network in net.ip_networks %}`
			`{%- if ':' in network %}`
			`add rule ip6 filter6 INPUT ip6 saddr {{ network }} ct state established,new counter accept`
			`{%- endif %}`
updated nftables state 2022-01-06 23:18:36 +01:00			`{%- endfor %}`
updated nftables state 2023-03-10 00:08:11 +01:00			`{%- for port in net.public_ports %}`
			`add rule ip6 filter6 INPUT {{ port.split('/')[0] }} dport {{ port.split('/')[1] }} ct state established,new counter accept`
updated nftables state 2022-01-06 23:18:36 +01:00			`{%- endfor %}`
updated nftables state 2023-01-05 00:13:40 +01:00			`{%- if nftables.log %}`
			`add rule ip6 filter6 INPUT counter log`
			`{%- endif %}`
updated nftables state 2023-12-18 19:31:16 +01:00			`#add rule ip6 filter6 INPUT counter log reject`
updated nftables state 2022-04-03 23:02:32 +02:00
updated nftables state 2022-01-06 23:18:36 +01:00			`## Endline is mandatory`