paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated nftables state

Browse Source
This commit is contained in:
Paul 2023-03-10 00:08:11 +01:00
parent d9ddc5dd11
commit a8ef3a46cb
1 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
states/nftables/templates/rules.nft.j2
View File

@ -13,11 +13,13 @@ add rule ip filter INPUT iifname lo counter accept
add rule ip filter INPUT iifname tun* counter accept add rule ip filter INPUT iifname tun* counter accept
add rule ip filter INPUT ct state related,established counter accept add rule ip filter INPUT ct state related,established counter accept
add rule ip filter INPUT ip protocol icmp counter accept add rule ip filter INPUT ip protocol icmp counter accept
{%- for key, value in net.ipv4_networks.items() %} {%- for network in net.ip_networks %}
add rule ip filter INPUT ip saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept {%- if '.' in network %}
add rule ip filter INPUT ip saddr {{ network }} ct state established,new counter accept
{%- endif %}
{%- endfor %} {%- endfor %}
{%- for key, value in net.public_ports.items() %} {%- for port in net.public_ports %}
add rule ip filter INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept add rule ip filter INPUT {{ port.split('/')[0] }} dport {{ port.split('/')[1] }} ct state established,new counter accept
{%- endfor %} {%- endfor %}
{%- if nftables.log %} {%- if nftables.log %}
add rule ip filter INPUT counter log add rule ip filter INPUT counter log
@ -33,8 +35,8 @@ add chain ip nat POSTROUTING { type nat hook postrouting priority srcnat; policy
add chain ip nat DOCKER add chain ip nat DOCKER
### Main NAT rules ### Main NAT rules
{%- for key, value in net.nats.items() %} {%- for network in net.nats %}
add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade add rule ip nat POSTROUTING ip saddr {{ network }} counter masquerade
{%- endfor %} {%- endfor %}
### Docker related rules ### Docker related rules
@ -55,11 +57,13 @@ add rule ip6 filter6 INPUT iifname lo counter accept
add rule ip6 filter6 INPUT iifname tun* counter accept add rule ip6 filter6 INPUT iifname tun* counter accept
add rule ip6 filter6 INPUT ct state related,established counter accept add rule ip6 filter6 INPUT ct state related,established counter accept
add rule ip6 filter6 INPUT icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept add rule ip6 filter6 INPUT icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept
{%- for key, value in net.ipv6_networks.items() %} {%- for network in net.ip_networks %}
add rule ip6 filter6 INPUT ip6 saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept {%- if ':' in network %}
add rule ip6 filter6 INPUT ip6 saddr {{ network }} ct state established,new counter accept
{%- endif %}
{%- endfor %} {%- endfor %}
{%- for key, value in net.public_ports.items() %} {%- for port in net.public_ports %}
add rule ip6 filter6 INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept add rule ip6 filter6 INPUT {{ port.split('/')[0] }} dport {{ port.split('/')[1] }} ct state established,new counter accept
{%- endfor %} {%- endfor %}
{%- if nftables.log %} {%- if nftables.log %}
add rule ip6 filter6 INPUT counter log add rule ip6 filter6 INPUT counter log