paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated nftables state

Browse Source
This commit is contained in:
Paul 2023-03-10 00:08:11 +01:00
parent d9ddc5dd11
commit a8ef3a46cb
1 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
states/nftables/templates/rules.nft.j2
View File

@ -13,11 +13,13 @@ add rule ip filter INPUT iifname lo counter accept
add rule ip filter INPUT iifname tun* counter accept
add rule ip filter INPUT ct state related,established counter accept
add rule ip filter INPUT ip protocol icmp counter accept
{%- for key, value in net.ipv4_networks.items() %}
add rule ip filter INPUT ip saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
{%- for network in net.ip_networks %}
{%- if '.' in network %}
add rule ip filter INPUT ip saddr {{ network }} ct state established,new counter accept
{%- endif %}
{%- endfor %}
{%- for key, value in net.public_ports.items() %}
add rule ip filter INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
{%- for port in net.public_ports %}
add rule ip filter INPUT {{ port.split('/')[0] }} dport {{ port.split('/')[1] }} ct state established,new counter accept
{%- endfor %}
{%- if nftables.log %}
add rule ip filter INPUT counter log
@ -33,8 +35,8 @@ add chain ip nat POSTROUTING { type nat hook postrouting priority srcnat; policy
add chain ip nat DOCKER
### Main NAT rules
{%- for key, value in net.nats.items() %}
add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade
{%- for network in net.nats %}
add rule ip nat POSTROUTING ip saddr {{ network }} counter masquerade
{%- endfor %}
### Docker related rules
@ -55,11 +57,13 @@ add rule ip6 filter6 INPUT iifname lo counter accept
add rule ip6 filter6 INPUT iifname tun* counter accept
add rule ip6 filter6 INPUT ct state related,established counter accept
add rule ip6 filter6 INPUT icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept
{%- for key, value in net.ipv6_networks.items() %}
add rule ip6 filter6 INPUT ip6 saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
{%- for network in net.ip_networks %}
{%- if ':' in network %}
add rule ip6 filter6 INPUT ip6 saddr {{ network }} ct state established,new counter accept
{%- endif %}
{%- endfor %}
{%- for key, value in net.public_ports.items() %}
add rule ip6 filter6 INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
{%- for port in net.public_ports %}
add rule ip6 filter6 INPUT {{ port.split('/')[0] }} dport {{ port.split('/')[1] }} ct state established,new counter accept
{%- endfor %}
{%- if nftables.log %}
add rule ip6 filter6 INPUT counter log