diff options
Diffstat (limited to 'systems/axo/nftables-rules.nft')
-rw-r--r-- | systems/axo/nftables-rules.nft | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/systems/axo/nftables-rules.nft b/systems/axo/nftables-rules.nft new file mode 100644 index 00000000..b5e20c26 --- /dev/null +++ b/systems/axo/nftables-rules.nft @@ -0,0 +1,70 @@ +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + ct state invalid drop comment "drop invalid packets" + ct state established,related accept comment "accept related connections" + iif lo accept + iif != lo ip daddr 127.0.0.1/8 drop + iif != lo ip6 daddr ::1/128 drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + udp dport domain ip saddr 172.16.0.0/12 accept + tcp dport 3000 ip saddr 127.0.0.1/8 accept + tcp dport 8000 ip saddr 127.0.0.1/8 accept + tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect" + udp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect" + tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept + } + + chain forward { + type filter hook forward priority 0; policy drop; + ct state established,related accept + } + + chain output { + type filter hook output priority 0; policy drop; + ct state established,related accept + icmp type echo-request accept + icmp type echo-reply accept + ip daddr 127.0.0.0/8 accept + ip6 daddr ::1 accept + udp dport domain accept + tcp dport 853 accept comment "DNS over TLS" + udp dport 853 accept comment "DNS over TLS" + tcp dport http accept + tcp dport https accept + udp dport https accept + tcp dport ssh accept + tcp dport bootps accept + udp dport bootps accept + tcp dport ntp accept + udp dport ntp accept + tcp dport nntps accept + udp dport nntps accept + tcp dport submission accept + tcp dport imaps accept + tcp dport 2222 accept + tcp dport hkp accept + udp dport hkp accept + tcp dport 9100 accept + tcp dport git accept + udp dport git accept + tcp dport rsync accept + udp dport rsync accept + tcp dport 8000 accept + tcp dport http-alt accept + udp dport openvpn accept + tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport 5222 accept comment "XMPP" + tcp dport 6697 accept comment "IRC" + tcp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + tcp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 19302-19309 accept comment "Google Meet Ports" + tcp dport 1714-1764 accept comment "KDEConnect" + udp dport 1714-1764 accept comment "KDEConnect" + udp dport 51820 accept comment "WireGuard" + } +} |