From 840147f9d6bd4ec1bb6b9b1dd78195a5d84aea1e Mon Sep 17 00:00:00 2001
From: Anthony Perkins <anthony@acperkins.com>
Date: Thu, 11 Jun 2020 15:44:46 +0100
Subject: [PATCH] Add nftables.conf workstation firewall config

---
 roles/debian/files/nftables.conf | 43 ++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100755 roles/debian/files/nftables.conf

diff --git a/roles/debian/files/nftables.conf b/roles/debian/files/nftables.conf
new file mode 100755
index 0000000..0004066
--- /dev/null
+++ b/roles/debian/files/nftables.conf
@@ -0,0 +1,43 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy accept;
+
+		# Accept any localhost and libvirt traffic.
+		iif "lo" accept
+		iif "virbr0" accept
+
+		# Accept traffic originated from us.
+		ct state established,related accept
+
+		# Open ports for public services.
+		tcp dport ssh ct state new accept
+		tcp dport 8000 ct state new accept  # Python HTTP server.
+
+		# Accept neighbour discovery otherwise IPv6 connectivity breaks.
+		ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept
+
+		# Count and drop any other traffic.
+		counter drop
+	}
+
+	chain forward {
+		type filter hook forward priority 0; policy accept;
+	}
+
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}
+
+table ip nat {
+	chain postrouting {
+		type nat hook postrouting priority 100;
+
+		# Masquerade NAT traffic (useful for VMs).
+		masquerade
+	}
+}