blob: 83458e42e30cfe1d04a60749b0afbe2b8c33edd9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid drop comment "drop invalid packets"
ct state established,related accept comment "accept related connections"
iif lo accept
iif != lo ip daddr 127.0.0.1/8 drop
iif != lo ip6 daddr ::1/128 drop
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
udp dport domain ip saddr 172.16.0.0/12 accept
tcp dport ssh ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept
tcp dport 3000 ip saddr 127.0.0.1/8 accept
tcp dport 8000 ip saddr 127.0.0.1/8 accept
tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept
tcp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect"
udp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect"
tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state established,related accept
}
chain output {
type filter hook output priority 0; policy drop;
ct state established,related accept
icmp type echo-request accept
icmp type echo-reply accept
ip daddr 127.0.0.0/8 accept
ip6 daddr ::1 accept
udp dport domain accept
tcp dport 853 accept comment "DNS over TLS"
udp dport 853 accept comment "DNS over TLS"
tcp dport http accept
tcp dport https accept
udp dport https accept
tcp dport ssh accept
tcp dport bootps accept
udp dport bootps accept
tcp dport ntp accept
udp dport ntp accept
tcp dport nntps accept
udp dport nntps accept
tcp dport submission accept
tcp dport imaps accept
tcp dport 2222 accept
tcp dport hkp accept
udp dport hkp accept
tcp dport 9100 accept
tcp dport git accept
udp dport git accept
tcp dport rsync accept
udp dport rsync accept
tcp dport 8000 accept
tcp dport http-alt accept
udp dport openvpn accept
tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } accept
tcp dport 5222 accept comment "XMPP"
tcp dport 6697 accept comment "IRC"
tcp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS"
udp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS"
tcp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS"
udp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS"
udp dport 19302-19309 accept comment "Google Meet Ports"
tcp dport 1714-1764 accept comment "KDEConnect"
udp dport 1714-1764 accept comment "KDEConnect"
udp dport 51820 accept comment "WireGuard"
tcp dport 9876 accept comment "yggdrasil"
}
}
|
