update nftrules example
This commit is contained in:
Nico Schottelius
parent
8544df8bad
commit
c6b7152464
1 changed files with 52 additions and 20 deletions
|
|
@ -4,29 +4,61 @@ table bridge filter {
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type filter hook prerouting priority 0;
|
type filter hook prerouting priority 0;
|
||||||
policy accept;
|
policy accept;
|
||||||
|
|
||||||
ibrname br100 jump netpublic
|
ibrname br100 jump netpublic
|
||||||
}
|
}
|
||||||
|
|
||||||
chain netpublic {
|
chain netpublic {
|
||||||
|
iifname vxlan100 jump from_uncloud
|
||||||
|
|
||||||
|
# Default blocks: router advertisements, dhcpv6, dhcpv4
|
||||||
|
icmpv6 type nd-router-advert drop
|
||||||
|
ip6 version 6 udp sport 547 drop
|
||||||
|
ip version 4 udp sport 67 drop
|
||||||
|
|
||||||
|
# Individual blocks
|
||||||
iifname tap1 jump vm1
|
iifname tap1 jump vm1
|
||||||
|
|
||||||
icmpv6 type {nd-router-solicit, nd-router-advert,
|
|
||||||
nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chain vm1 {
|
chain vm1 {
|
||||||
ether saddr != 02:00:f0:a9:c4:4e drop
|
ether saddr != 02:00:f0:a9:c4:4e drop
|
||||||
|
ip6 saddr != 2a0a:e5c1:111:888:0:f0ff:fea9:c44e drop
|
||||||
|
}
|
||||||
|
|
||||||
|
chain from_uncloud {
|
||||||
|
accept
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
table ip6 filter {
|
# table ip6 filter {
|
||||||
chain forward {
|
# chain forward {
|
||||||
type filter hook forward priority 0;
|
# type filter hook forward priority 0;
|
||||||
|
|
||||||
# policy drop;
|
# # policy drop;
|
||||||
|
|
||||||
ct state established,related accept;
|
# ct state established,related accept;
|
||||||
|
|
||||||
}
|
# }
|
||||||
|
|
||||||
}
|
# }
|
||||||
|
|
||||||
|
# table ip filter {
|
||||||
|
# chain input {
|
||||||
|
# type filter hook input priority filter; policy drop;
|
||||||
|
# iif "lo" accept
|
||||||
|
# icmp type { echo-reply, destination-unreachable, source-quench, redirect, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply } accept
|
||||||
|
# ct state established,related accept
|
||||||
|
# tcp dport { 22 } accept
|
||||||
|
# log prefix "firewall-ipv4: "
|
||||||
|
# udp sport 67 drop
|
||||||
|
# }
|
||||||
|
|
||||||
|
# chain forward {
|
||||||
|
# type filter hook forward priority filter; policy drop;
|
||||||
|
# log prefix "firewall-ipv4: "
|
||||||
|
# }
|
||||||
|
|
||||||
|
# chain output {
|
||||||
|
# type filter hook output priority filter; policy accept;
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue