Add base set of nftables rules
This commit is contained in:
parent
eb62a3f4c8
commit
c438930075
|
@ -3,9 +3,14 @@
|
||||||
|
|
||||||
. ../../APKBUILD.template
|
. ../../APKBUILD.template
|
||||||
|
|
||||||
pkgrel=0
|
pkgrel=3
|
||||||
pkgdesc="Basic generic nftables template"
|
pkgdesc="Basic generic nftables template"
|
||||||
options="!check" # check requires root?
|
options="!check" # check requires root?
|
||||||
|
subpackages=""
|
||||||
|
|
||||||
|
for i in "$startdir"/nft/inet/nnd-base/*/*/*/*; do
|
||||||
|
subpackages="$subpackages $pkgname-$(echo "${i##*/nft/inet/nnd-base/}" | sed 's/\//-/g'):_mod"
|
||||||
|
done
|
||||||
|
|
||||||
check() {
|
check() {
|
||||||
msg "Checking if commands are valid"
|
msg "Checking if commands are valid"
|
||||||
|
@ -22,3 +27,8 @@ package() {
|
||||||
mkdir -p "$pkgdir"/etc/nnd
|
mkdir -p "$pkgdir"/etc/nnd
|
||||||
cp -r "$builddir"/nft "$pkgdir"/etc/nnd/nftables
|
cp -r "$builddir"/nft "$pkgdir"/etc/nnd/nftables
|
||||||
}
|
}
|
||||||
|
|
||||||
|
_mod() {
|
||||||
|
local _modname="${subpkgname##$pkgname-}"
|
||||||
|
amove etc/nnd/nftables/inet/nnd-base/"$(echo $_modname | sed 's/-/\//g')"
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
include "inet/nnd-base/filter/input/ct/*";
|
||||||
|
include "inet/nnd-base/filter/input/icmp/*";
|
||||||
|
include "inet/nnd-base/filter/input/iface/*";
|
||||||
|
include "inet/nnd-base/filter/input/udp/*";
|
||||||
|
include "inet/nnd-base/filter/input/tcp/*";
|
|
@ -0,0 +1 @@
|
||||||
|
ct state established accept;
|
|
@ -0,0 +1 @@
|
||||||
|
ct state invalid counter drop;
|
|
@ -0,0 +1 @@
|
||||||
|
ct state related accept;
|
|
@ -0,0 +1 @@
|
||||||
|
ip protocol icmp counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
ip6 nexthdr icmpv6 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
iifname lo accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 10809 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 143 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 22 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 25 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 443 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 465 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 51413 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 53 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 587 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 64738 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 7777 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 80 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 993 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 26000 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 51413 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 51820 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 53 counter accept;
|
|
@ -0,0 +1 @@
|
||||||
|
tcp dport 64783 counter accept;
|
|
@ -1,17 +1,14 @@
|
||||||
table inet nnd-base {
|
table inet nnd-base {
|
||||||
chain rxfilter {
|
chain rxfilter {
|
||||||
type filter hook input priority 0;
|
type filter hook input priority 0;
|
||||||
policy reject;
|
policy drop;
|
||||||
|
|
||||||
ct state invalid counter drop;
|
|
||||||
icmpx counter accept;
|
|
||||||
|
|
||||||
include "inet/nnd-base/filter/input/*";
|
include "inet/nnd-base/filter/input/*";
|
||||||
counter reject with icmpx type admin-prohibited;
|
counter reject with icmpx type admin-prohibited;
|
||||||
}
|
}
|
||||||
chain fwfilter {
|
chain fwfilter {
|
||||||
type filter hook forward priority 0;
|
type filter hook forward priority 0;
|
||||||
policy reject;
|
policy drop;
|
||||||
include "inet/nnd-base/filter/forward/*";
|
include "inet/nnd-base/filter/forward/*";
|
||||||
counter reject with icmpx type no-route;
|
counter reject with icmpx type no-route;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue