Jeltz
64772b76e4
This is a fully static version of the config, and it is meant to be temporary (until I figure out a way to properly configure nftables using ansible…).
57 lines
972 B
Django/Jinja
57 lines
972 B
Django/Jinja
{{ ansible_managed | comment }}
|
|
|
|
table inet input {
|
|
|
|
chain conntrack {
|
|
ct state vmap {
|
|
established: counter accept,
|
|
related: counter accept,
|
|
invalid: counter drop,
|
|
}
|
|
}
|
|
|
|
chain input_from_backbone {
|
|
ip6 nexthdr { ospf, vrrp } accept
|
|
ip protocol { ospf, vrrp } accept
|
|
counter accept # FIXME: temporary
|
|
}
|
|
|
|
chain input_from_router {
|
|
jump conntrack
|
|
|
|
tcp dport ssh counter accept
|
|
}
|
|
|
|
chain input_from_anywhere {
|
|
jump conntrack
|
|
|
|
# FIXME: limit
|
|
ip6 nexthdr icmpv6 counter accept
|
|
ip protocol icmp counter accept
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority filter
|
|
policy drop
|
|
|
|
iif lo accept
|
|
|
|
jump input_from_anywhere
|
|
|
|
# FIXME: temporary
|
|
tcp dport ssh accept
|
|
|
|
ip6 saddr vmap {
|
|
$backbone_ipv6: jump input_from_backbone,
|
|
$router_ipv6: jump input_from_router,
|
|
}
|
|
|
|
ip saddr vmap {
|
|
$backbone_ipv4: jump input_from_backbone,
|
|
$router_ipv4: jump input_from_router,
|
|
}
|
|
|
|
reject with icmpx type admin-prohibited
|
|
}
|
|
|
|
}
|