1 files changed, 70 insertions, 0 deletions

diff --git a/systems/axo/nftables-rules.nft b/systems/axo/nftables-rules.nft
new file mode 100644
index 00000000..b5e20c26
--- /dev/null
+++ b/systems/axo/nftables-rules.nft
@@ -0,0 +1,70 @@
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        ct state invalid drop comment "drop invalid packets"
+        ct state established,related accept comment "accept related connections"
+        iif lo accept
+        iif != lo ip daddr 127.0.0.1/8 drop
+        iif != lo ip6 daddr ::1/128 drop
+        ip protocol icmp accept
+        ip6 nexthdr ipv6-icmp accept
+        udp dport domain ip saddr 172.16.0.0/12 accept
+        tcp dport 3000 ip saddr 127.0.0.1/8 accept
+        tcp dport 8000 ip saddr 127.0.0.1/8 accept
+        tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept
+        tcp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect"
+        udp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect"
+        tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept
+    }
+
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+        ct state established,related accept
+    }
+
+    chain output {
+        type filter hook output priority 0; policy drop;
+        ct state established,related accept
+        icmp type echo-request accept
+        icmp type echo-reply accept
+        ip daddr 127.0.0.0/8 accept
+        ip6 daddr ::1 accept
+        udp dport domain accept
+        tcp dport 853 accept comment "DNS over TLS"
+        udp dport 853 accept comment "DNS over TLS"
+        tcp dport http accept
+        tcp dport https accept
+        udp dport https accept
+        tcp dport ssh accept
+        tcp dport bootps accept
+        udp dport bootps accept
+        tcp dport ntp accept
+        udp dport ntp accept
+        tcp dport nntps accept
+        udp dport nntps accept
+        tcp dport submission accept
+        tcp dport imaps accept
+        tcp dport 2222 accept
+        tcp dport hkp accept
+        udp dport hkp accept
+        tcp dport 9100 accept
+        tcp dport git accept
+        udp dport git accept
+        tcp dport rsync accept
+        udp dport rsync accept
+        tcp dport 8000 accept
+        tcp dport http-alt accept
+        udp dport openvpn accept
+        tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } accept
+        tcp dport 5222 accept comment "XMPP"
+        tcp dport 6697 accept comment "IRC"
+        tcp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS"
+        udp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS"
+        tcp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS"
+        udp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS"
+        udp dport 19302-19309 accept comment "Google Meet Ports"
+        tcp dport 1714-1764 accept comment "KDEConnect"
+        udp dport 1714-1764 accept comment "KDEConnect"
+        udp dport 51820 accept comment "WireGuard"
+    }
+}