paulbsd-salt/states/nftables/templates/rules.nft.j2
Paul Lecuq 607895f35e * Fixes on states
- disabled iptables handling by docker
- updated firewall rules template
- added dependency package for ipbl
2022-03-12 00:00:02 +01:00

57 lines
3.0 KiB
Django/Jinja

## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nftables/map.jinja" import nftables with context %}
{%- from "nftables/map.jinja" import net with context %}
## IPv4 filtering
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
add chain ip filter DOCKER
add rule ip filter INPUT iifname lo counter accept
add rule ip filter INPUT iifname tun* counter accept
add rule ip filter INPUT ct state related,established counter accept
add rule ip filter INPUT ip protocol icmp counter accept
add rule ip filter INPUT log ip saddr $blacklist drop
{%- for key, value in net.ipv4_networks.items() %}
add rule ip filter INPUT ip saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
{%- endfor %}
{%- for key, value in net.public_ports.items() %}
add rule ip filter INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
{%- endfor %}
#add rule ip filter INPUT counter log
## IPv4 NAT
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; }
add chain ip nat INPUT { type nat hook input priority 100; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }
add chain ip nat DOCKER
{%- for key, value in net.nats.items() %}
add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade
{%- endfor %}
add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
add rule ip nat DOCKER iifname "docker0" counter return
## IPv6 filtering
add table ip6 filter6
add chain ip6 filter6 INPUT { type filter hook input priority 0; policy drop; }
add chain ip6 filter6 FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip6 filter6 OUTPUT { type filter hook output priority 0; policy accept; }
add rule ip6 filter6 INPUT iifname lo counter accept
add rule ip6 filter6 INPUT iifname tun* counter accept
add rule ip6 filter6 INPUT ct state related,established counter accept
add rule ip6 filter6 INPUT icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept
{%- for key, value in net.ipv6_networks.items() %}
add rule ip6 filter6 INPUT ip6 saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept
{%- endfor %}
{%- for key, value in net.public_ports.items() %}
add rule ip6 filter6 INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept
{%- endfor %}
#add rule ip6 filter6 INPUT counter log
## Endline is mandatory