update nftrules example

This commit is contained in:
Nico Schottelius 2020-01-11 21:21:30 +01:00
parent 8544df8bad
commit c6b7152464

View file

@ -1,32 +1,64 @@
flush ruleset
table bridge filter {
chain prerouting {
type filter hook prerouting priority 0;
policy accept;
ibrname br100 jump netpublic
}
chain netpublic {
chain prerouting {
type filter hook prerouting priority 0;
policy accept;
iifname tap1 jump vm1
ibrname br100 jump netpublic
}
icmpv6 type {nd-router-solicit, nd-router-advert,
nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
chain netpublic {
iifname vxlan100 jump from_uncloud
}
chain vm1 {
ether saddr != 02:00:f0:a9:c4:4e drop
}
# Default blocks: router advertisements, dhcpv6, dhcpv4
icmpv6 type nd-router-advert drop
ip6 version 6 udp sport 547 drop
ip version 4 udp sport 67 drop
# Individual blocks
iifname tap1 jump vm1
}
chain vm1 {
ether saddr != 02:00:f0:a9:c4:4e drop
ip6 saddr != 2a0a:e5c1:111:888:0:f0ff:fea9:c44e drop
}
chain from_uncloud {
accept
}
}
table ip6 filter {
chain forward {
type filter hook forward priority 0;
# table ip6 filter {
# chain forward {
# type filter hook forward priority 0;
# policy drop;
# # policy drop;
ct state established,related accept;
# ct state established,related accept;
}
# }
}
# }
# table ip filter {
# chain input {
# type filter hook input priority filter; policy drop;
# iif "lo" accept
# icmp type { echo-reply, destination-unreachable, source-quench, redirect, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply } accept
# ct state established,related accept
# tcp dport { 22 } accept
# log prefix "firewall-ipv4: "
# udp sport 67 drop
# }
# chain forward {
# type filter hook forward priority filter; policy drop;
# log prefix "firewall-ipv4: "
# }
# chain output {
# type filter hook output priority filter; policy accept;
# }
# }