cellinfo
/
ansible.nftables
4
0
Fork 0
Code Issues Pull Requests Releases Activity

Block all input packets destinate to blackhole set by default.

This commit is contained in:
Jeremy Gardais 2017-08-08 14:37:54 +02:00
parent 043bc55dcb
commit 84fd89f6e6
2 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -69,6 +69,8 @@ nft_input_default_rules:
- type filter hook input priority 0; policy drop; - type filter hook input priority 0; policy drop;
005 global: 005 global:
- jump global - jump global
010 drop unwanted:
- ip daddr @blackhole counter drop
nft_input_group_rules: {} nft_input_group_rules: {}
nft_input_host_rules: {} nft_input_host_rules: {}
@ -130,6 +132,7 @@ table inet firewall {
chain input { chain input {
type filter hook input priority 0; policy drop; type filter hook input priority 0; policy drop;
jump global jump global
ip daddr @blackhole counter packets 3 bytes 204 drop
} }
chain output { chain output {

2
defaults/main.yml
View File

@ -27,6 +27,8 @@ nft_input_default_rules:
- type filter hook input priority 0; policy drop; - type filter hook input priority 0; policy drop;
005 global: 005 global:
- jump global - jump global
010 drop unwanted:
- ip daddr @blackhole counter drop
nft_input_group_rules: {} nft_input_group_rules: {}
nft_input_host_rules: {} nft_input_host_rules: {}