ctucx.git: ansible-configs

add default nftables config

diff --git a/roles/common/files/nftables-config.nft b/roles/common/files/nftables-config.nft
@@ -0,0 +1,42 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet firewall {
+	chain inbound {
+		# By default, drop all traffic unless it meets a filter
+		# criteria specified by the rules that follow below.
+		type filter hook input priority 0; policy drop;
+
+		# Allow traffic from established and related packets.
+		ct state established,related accept
+
+		# Drop invalid packets.
+		ct state invalid drop
+
+		# Allow loopback traffic.
+		iifname lo accept
+
+		# Allow all ICMP and IGMP traffic, but enforce a rate limit
+		# to help prevent some types of flood attacks.
+		ip protocol icmp limit rate 5/second accept
+		ip6 nexthdr ipv6-icmp limit rate 5/second accept
+		ip protocol igmp limit rate 5/second accept
+
+		# Allow SSH on port 22.
+		tcp dport 22 accept
+	}
+
+	chain forward {
+		# Drop everything (assumes this device is not a router)
+		type filter hook forward priority 0; policy drop;
+	}
+
+	chain outbound {
+		# Allow all outbound traffic
+		type filter hook output priority 0; policy accept;
+	}
+
+}
+
+include "/etc/nftables.d/*.nft"