Add base set of nftables rules
This commit is contained in:
parent
eb62a3f4c8
commit
c438930075
|
@ -3,9 +3,14 @@
|
|||
|
||||
. ../../APKBUILD.template
|
||||
|
||||
pkgrel=0
|
||||
pkgrel=3
|
||||
pkgdesc="Basic generic nftables template"
|
||||
options="!check" # check requires root?
|
||||
subpackages=""
|
||||
|
||||
for i in "$startdir"/nft/inet/nnd-base/*/*/*/*; do
|
||||
subpackages="$subpackages $pkgname-$(echo "${i##*/nft/inet/nnd-base/}" | sed 's/\//-/g'):_mod"
|
||||
done
|
||||
|
||||
check() {
|
||||
msg "Checking if commands are valid"
|
||||
|
@ -22,3 +27,8 @@ package() {
|
|||
mkdir -p "$pkgdir"/etc/nnd
|
||||
cp -r "$builddir"/nft "$pkgdir"/etc/nnd/nftables
|
||||
}
|
||||
|
||||
_mod() {
|
||||
local _modname="${subpkgname##$pkgname-}"
|
||||
amove etc/nnd/nftables/inet/nnd-base/"$(echo $_modname | sed 's/-/\//g')"
|
||||
}
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
include "inet/nnd-base/filter/input/ct/*";
|
||||
include "inet/nnd-base/filter/input/icmp/*";
|
||||
include "inet/nnd-base/filter/input/iface/*";
|
||||
include "inet/nnd-base/filter/input/udp/*";
|
||||
include "inet/nnd-base/filter/input/tcp/*";
|
|
@ -0,0 +1 @@
|
|||
ct state established accept;
|
|
@ -0,0 +1 @@
|
|||
ct state invalid counter drop;
|
|
@ -0,0 +1 @@
|
|||
ct state related accept;
|
|
@ -0,0 +1 @@
|
|||
ip protocol icmp counter accept;
|
|
@ -0,0 +1 @@
|
|||
ip6 nexthdr icmpv6 counter accept;
|
|
@ -0,0 +1 @@
|
|||
iifname lo accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 10809 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 143 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 22 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 25 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 443 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 465 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 51413 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 53 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 587 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 64738 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 7777 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 80 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 993 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 26000 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 51413 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 51820 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 53 counter accept;
|
|
@ -0,0 +1 @@
|
|||
tcp dport 64783 counter accept;
|
|
@ -1,17 +1,14 @@
|
|||
table inet nnd-base {
|
||||
chain rxfilter {
|
||||
type filter hook input priority 0;
|
||||
policy reject;
|
||||
|
||||
ct state invalid counter drop;
|
||||
icmpx counter accept;
|
||||
policy drop;
|
||||
|
||||
include "inet/nnd-base/filter/input/*";
|
||||
counter reject with icmpx type admin-prohibited;
|
||||
}
|
||||
chain fwfilter {
|
||||
type filter hook forward priority 0;
|
||||
policy reject;
|
||||
policy drop;
|
||||
include "inet/nnd-base/filter/forward/*";
|
||||
counter reject with icmpx type no-route;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue