Define new sets and vars for input connections.
This commit is contained in:
parent
4beb9019de
commit
b831267b8e
|
@ -4,9 +4,10 @@
|
||||||
### Features
|
### Features
|
||||||
* Manage nftables service at startup.
|
* Manage nftables service at startup.
|
||||||
* Rollback to inet family to manage both ipv4 and ipv6.
|
* Rollback to inet family to manage both ipv4 and ipv6.
|
||||||
|
* To allow multiple ports/range ports, it's possible to redifine vars or add a rule in a dict.
|
||||||
|
|
||||||
### Default Rules
|
### Default Rules
|
||||||
* Use more sets and vars definitions to avoid multiple rules.
|
* Use more sets and vars definitions for input/output to avoid multiple rules.
|
||||||
* Allow outgoing icmp.
|
* Allow outgoing icmp.
|
||||||
* Remove DHCP incoming packets. The connection is started by the host, don't need incoming rule.
|
* Remove DHCP incoming packets. The connection is started by the host, don't need incoming rule.
|
||||||
|
|
||||||
|
|
30
README.md
30
README.md
|
@ -79,8 +79,10 @@ nft_input_default_rules:
|
||||||
- ip daddr @blackhole counter drop
|
- ip daddr @blackhole counter drop
|
||||||
015 localhost:
|
015 localhost:
|
||||||
- iif lo accept
|
- iif lo accept
|
||||||
220 ssh:
|
200 input udp accepted:
|
||||||
- tcp dport ssh ct state new counter accept
|
- udp dport @input_udp_accept ct state new accept
|
||||||
|
210 input tcp accepted:
|
||||||
|
- tcp dport @input_tcp_accept ct state new accept
|
||||||
nft_input_group_rules: {}
|
nft_input_group_rules: {}
|
||||||
nft_input_host_rules: {}
|
nft_input_host_rules: {}
|
||||||
|
|
||||||
|
@ -106,12 +108,18 @@ nft_define_default:
|
||||||
desc: 'broadcast and multicast'
|
desc: 'broadcast and multicast'
|
||||||
name: badcast_addr
|
name: badcast_addr
|
||||||
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
||||||
output udp accepted:
|
input tcp accepted:
|
||||||
name: output_udp_accept
|
name: input_tcp_accept
|
||||||
value: '{ domain, bootps, ntp }'
|
value: '{ ssh }'
|
||||||
|
input udp accepted:
|
||||||
|
name: input_udp_accept
|
||||||
|
value: 'none'
|
||||||
output tcp accepted:
|
output tcp accepted:
|
||||||
name: output_tcp_accept
|
name: output_tcp_accept
|
||||||
value: '{ http, https }'
|
value: '{ http, https }'
|
||||||
|
output udp accepted:
|
||||||
|
name: output_udp_accept
|
||||||
|
value: '{ bootps, domain, ntp }'
|
||||||
nft_define_group: {}
|
nft_define_group: {}
|
||||||
nft_define_host: {}
|
nft_define_host: {}
|
||||||
|
|
||||||
|
@ -120,12 +128,17 @@ nft_set_default:
|
||||||
blackhole:
|
blackhole:
|
||||||
- type ipv4_addr;
|
- type ipv4_addr;
|
||||||
- elements = $badcast_addr
|
- elements = $badcast_addr
|
||||||
output_udp_accept:
|
input_tcp_accept:
|
||||||
|
- type inet_service; flags interval;
|
||||||
|
- elements = $input_tcp_accept
|
||||||
|
input_udp_accept:
|
||||||
- type inet_service; flags interval;
|
- type inet_service; flags interval;
|
||||||
- elements = $output_udp_accept
|
|
||||||
output_tcp_accept:
|
output_tcp_accept:
|
||||||
- type inet_service; flags interval;
|
- type inet_service; flags interval;
|
||||||
- elements = $output_tcp_accept
|
- elements = $output_tcp_accept
|
||||||
|
output_udp_accept:
|
||||||
|
- type inet_service; flags interval;
|
||||||
|
- elements = $output_udp_accept
|
||||||
nft_set_group: {}
|
nft_set_group: {}
|
||||||
nft_set_host: {}
|
nft_set_host: {}
|
||||||
```
|
```
|
||||||
|
@ -183,7 +196,8 @@ table inet firewall {
|
||||||
jump global
|
jump global
|
||||||
ip daddr @blackhole counter packets 0 bytes 0 drop
|
ip daddr @blackhole counter packets 0 bytes 0 drop
|
||||||
iif "lo" accept
|
iif "lo" accept
|
||||||
tcp dport ssh ct state new counter packets 0 bytes 0 accept
|
udp dport @input_udp_accept ct state new accept
|
||||||
|
tcp dport @input_tcp_accept ct state new accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
|
|
|
@ -34,8 +34,10 @@ nft_input_default_rules:
|
||||||
- ip daddr @blackhole counter drop
|
- ip daddr @blackhole counter drop
|
||||||
015 localhost:
|
015 localhost:
|
||||||
- iif lo accept
|
- iif lo accept
|
||||||
220 ssh:
|
200 input udp accepted:
|
||||||
- tcp dport ssh ct state new counter accept
|
- udp dport @input_udp_accept ct state new accept
|
||||||
|
210 input tcp accepted:
|
||||||
|
- tcp dport @input_tcp_accept ct state new accept
|
||||||
nft_input_group_rules: {}
|
nft_input_group_rules: {}
|
||||||
nft_input_host_rules: {}
|
nft_input_host_rules: {}
|
||||||
|
|
||||||
|
@ -61,6 +63,12 @@ nft_define_default:
|
||||||
desc: 'broadcast and multicast'
|
desc: 'broadcast and multicast'
|
||||||
name: badcast_addr
|
name: badcast_addr
|
||||||
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
||||||
|
input tcp accepted:
|
||||||
|
name: input_tcp_accept
|
||||||
|
value: '{ ssh }'
|
||||||
|
input udp accepted:
|
||||||
|
name: input_udp_accept
|
||||||
|
value: 'none'
|
||||||
output tcp accepted:
|
output tcp accepted:
|
||||||
name: output_tcp_accept
|
name: output_tcp_accept
|
||||||
value: '{ http, https }'
|
value: '{ http, https }'
|
||||||
|
@ -75,6 +83,11 @@ nft_set_default:
|
||||||
blackhole:
|
blackhole:
|
||||||
- type ipv4_addr;
|
- type ipv4_addr;
|
||||||
- elements = $badcast_addr
|
- elements = $badcast_addr
|
||||||
|
input_tcp_accept:
|
||||||
|
- type inet_service; flags interval;
|
||||||
|
- elements = $input_tcp_accept
|
||||||
|
input_udp_accept:
|
||||||
|
- type inet_service; flags interval;
|
||||||
output_tcp_accept:
|
output_tcp_accept:
|
||||||
- type inet_service; flags interval;
|
- type inet_service; flags interval;
|
||||||
- elements = $output_tcp_accept
|
- elements = $output_tcp_accept
|
||||||
|
|
Loading…
Reference in New Issue