paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated nftables state

Browse Source
This commit is contained in:
Paul 2023-12-18 19:31:16 +01:00
parent 805f350a5c
commit 957716d945
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
states/nftables/templates/rules.nft.j2
View File

@ -13,6 +13,7 @@ add rule ip filter INPUT iifname lo counter accept
add rule ip filter INPUT iifname tun* counter accept add rule ip filter INPUT iifname tun* counter accept
add rule ip filter INPUT iifname br* counter accept add rule ip filter INPUT iifname br* counter accept
add rule ip filter INPUT iifname veth* counter accept add rule ip filter INPUT iifname veth* counter accept
add rule ip filter INPUT iifname lxc* counter accept
add rule ip filter INPUT ct state related,established counter accept add rule ip filter INPUT ct state related,established counter accept
add rule ip filter INPUT ip protocol icmp counter accept add rule ip filter INPUT ip protocol icmp counter accept
{%- for network in net.ip_networks+net.optional_ip_networks %} {%- for network in net.ip_networks+net.optional_ip_networks %}
@ -26,6 +27,7 @@ add rule ip filter INPUT {{ port.split('/')[0] }} dport {{ port.split('/')[1] }}
{%- if nftables.log %} {%- if nftables.log %}
add rule ip filter INPUT counter log add rule ip filter INPUT counter log
{%- endif %} {%- endif %}
#add rule ip filter INPUT counter log reject
## IPv4 NAT ## IPv4 NAT
@ -46,7 +48,8 @@ add rule ip nat POSTROUTING oifname != "docker0" ip saddr 172.17.0.0/24 counter
add rule ip nat PREROUTING fib daddr type local counter jump DOCKER add rule ip nat PREROUTING fib daddr type local counter jump DOCKER
add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
add rule ip nat POSTROUTING iifname br-* counter masquerade add rule ip nat POSTROUTING iifname br-* counter masquerade
add rule ip nat POSTROUTING iifname veth-* counter masquerade add rule ip nat POSTROUTING iifname veth* counter masquerade
add rule ip nat POSTROUTING iifname lxc* counter masquerade
add rule ip nat DOCKER iifname "docker0" counter return add rule ip nat DOCKER iifname "docker0" counter return
@ -70,5 +73,6 @@ add rule ip6 filter6 INPUT {{ port.split('/')[0] }} dport {{ port.split('/')[1]
{%- if nftables.log %} {%- if nftables.log %}
add rule ip6 filter6 INPUT counter log add rule ip6 filter6 INPUT counter log
{%- endif %} {%- endif %}
#add rule ip6 filter6 INPUT counter log reject
## Endline is mandatory ## Endline is mandatory