blob: 0cc44d9db025e16e51ffb2837a72b0271bf88caf (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid drop comment "drop invalid packets"
ct state established,related accept comment "accept related connections"
iif lo accept
iif != lo ip daddr 127.0.0.1/8 drop
iif != lo ip6 daddr ::1/128 drop
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
udp dport domain ip saddr 172.16.0.0/12 accept
tcp dport ssh accept
tcp dport 3000 ip saddr 127.0.0.1/8 accept
tcp dport 8000 ip saddr 127.0.0.1/8 accept
tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept
tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state established,related accept
}
chain output {
type filter hook output priority 0; policy drop;
ct state established,related accept
icmp type echo-request accept
icmp type echo-reply accept
ip daddr 127.0.0.0/8 accept
ip6 daddr ::1 accept
udp dport domain accept
tcp dport 853 accept comment "DNS over TLS"
udp dport 853 accept comment "DNS over TLS"
tcp dport http accept
tcp dport https accept
udp dport https accept
tcp dport ssh accept
tcp dport bootps accept
udp dport bootps accept
tcp dport ntp accept
udp dport ntp accept
tcp dport nntps accept
udp dport nntps accept
tcp dport rsync accept
udp dport rsync accept
tcp dport 8000 accept
tcp dport http-alt accept
tcp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS"
udp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS"
tcp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS"
udp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS"
}
}
|