ant/workstation
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Lock down the default firewall

Browse source
This commit is contained in:
Anthony Rose 2023-11-20 20:09:51 +00:00
parent acc4910b5a
commit 87264aa14a
1 changed files with 10 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
roles/debian/files/nftables.conf
View file

@ -8,13 +8,13 @@ table inet filter {
# Accept any localhost and libvirt traffic. # Accept any localhost and libvirt traffic.
iif "lo" accept iif "lo" accept
iifname "virbr0" accept #iifname "virbr0" accept
# Accept traffic originated from us. # Accept traffic originated from us.
ct state established,related accept ct state established,related accept
# Open ports for public services. # Open ports for public services.
tcp dport 22 ct state new accept # SSH #tcp dport 22 ct state new accept # SSH
# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1 # ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
@ -32,11 +32,12 @@ table inet filter {
type filter hook output priority filter; policy accept; type filter hook output priority filter; policy accept;
} }
} }
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
# Masquerade NAT traffic (useful for VMs). #table ip nat {
masquerade # chain postrouting {
} # type nat hook postrouting priority srcnat; policy accept;
} #
# # Masquerade NAT traffic (useful for VMs).
# masquerade
# }
#}