87 lines
1.5 KiB
Text
87 lines
1.5 KiB
Text
|
#!/usr/sbin/nft -f
|
||
|
# {{ ansible_managed }}
|
||
|
|
||
|
flush ruleset
|
||
|
|
||
|
#table ip nat {
|
||
|
#
|
||
|
# chain prerouting {
|
||
|
# type nat hook prerouting priority -100
|
||
|
# policy accept
|
||
|
# }
|
||
|
#
|
||
|
# chain postrouting {
|
||
|
# type nat hook prerouting priority 100
|
||
|
# policy accept
|
||
|
#
|
||
|
# #{% for endpoint in wireguard_endpoints %}
|
||
|
# #oifname "{{ endpoint.name }}" masquerade
|
||
|
# #{% endfor %}
|
||
|
# }
|
||
|
#
|
||
|
#}
|
||
|
|
||
|
table inet filter {
|
||
|
|
||
|
set blacklist_v4 {
|
||
|
type ipv4_addr
|
||
|
}
|
||
|
|
||
|
set blacklist_v6 {
|
||
|
type ipv6_addr
|
||
|
}
|
||
|
|
||
|
chain blacklist {
|
||
|
ip saddr @blacklist_v4 drop
|
||
|
ip6 saddr @blacklist_v6 drop
|
||
|
}
|
||
|
|
||
|
chain conntrack {
|
||
|
ct state invalid drop
|
||
|
ct state related, established accept
|
||
|
}
|
||
|
|
||
|
chain input {
|
||
|
type filter hook input priority 0
|
||
|
policy drop
|
||
|
|
||
|
iif lo accept
|
||
|
|
||
|
jump blacklist
|
||
|
jump conntrack
|
||
|
|
||
|
# TODO: ansible + separate nftables module
|
||
|
ip protocol icmp accept
|
||
|
|
||
|
{% for rule in nftables_basic_input_rules %}
|
||
|
{{ rule.proto }} \
|
||
|
{% if "saddr" in rule %} saddr {{ rule.saddr }} \ {% endif %}
|
||
|
{% if "sport" in rule %} sport {{ rule.sport }} \ {% endif %}
|
||
|
{% if "daddr" in rule %} daddr {{ rule.daddr }} \ {% endif %}
|
||
|
{% if "dport" in rule %} dport {{ rule.dport }} \ {% endif %}
|
||
|
{{ rule.verdict }}
|
||
|
{% endfor %}
|
||
|
}
|
||
|
|
||
|
chain forward {
|
||
|
type filter hook forward priority 0
|
||
|
policy drop
|
||
|
|
||
|
iif lo accept
|
||
|
|
||
|
jump blacklist
|
||
|
jump conntrack
|
||
|
|
||
|
{% for endpoint in wireguard_endpoints %}
|
||
|
iifname "{{ endpoint.name }}" accept
|
||
|
{% endfor %}
|
||
|
}
|
||
|
|
||
|
chain output {
|
||
|
type filter hook output priority 0
|
||
|
policy accept
|
||
|
}
|
||
|
|
||
|
}
|
||
|
|