ctucx.git: ansible-configs

My personal ansible roles and playbooks

commit 570c44019caa9949c406aad3a67e34b5cbca9caf
parent 07b9281c14eb99a8abd2fa1e064946f0162ea08a
Author: Leah (ctucx) <leah@ctu.cx>
Date: Tue, 23 Feb 2021 21:24:29 +0100

add default nftables config
1 file changed, 42 insertions(+), 0 deletions(-)
A
roles/common/files/nftables-config.nft
|
42
++++++++++++++++++++++++++++++++++++++++++
diff --git a/roles/common/files/nftables-config.nft b/roles/common/files/nftables-config.nft
@@ -0,0 +1,42 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet firewall {
+	chain inbound {
+		# By default, drop all traffic unless it meets a filter
+		# criteria specified by the rules that follow below.
+		type filter hook input priority 0; policy drop;
+
+		# Allow traffic from established and related packets.
+		ct state established,related accept
+
+		# Drop invalid packets.
+		ct state invalid drop
+
+		# Allow loopback traffic.
+		iifname lo accept
+
+		# Allow all ICMP and IGMP traffic, but enforce a rate limit
+		# to help prevent some types of flood attacks.
+		ip protocol icmp limit rate 5/second accept
+		ip6 nexthdr ipv6-icmp limit rate 5/second accept
+		ip protocol igmp limit rate 5/second accept
+
+		# Allow SSH on port 22.
+		tcp dport 22 accept
+	}
+
+	chain forward {
+		# Drop everything (assumes this device is not a router)
+		type filter hook forward priority 0; policy drop;
+	}
+
+	chain outbound {
+		# Allow all outbound traffic
+		type filter hook output priority 0; policy accept;
+	}
+
+}
+
+include "/etc/nftables.d/*.nft"