2023-11-08 20:16:51 +00:00
|
|
|
table inet nixos-fw {
|
|
|
|
|
chain rpfilter {
|
|
|
|
|
type filter hook prerouting priority mangle + 10; policy drop;
|
|
|
|
|
meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server"
|
|
|
|
|
fib saddr . mark . iif oif exists accept
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
chain input {
|
|
|
|
|
type filter hook input priority filter; policy drop;
|
|
|
|
|
iifname "lo" accept comment "trusted interfaces"
|
|
|
|
|
ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow }
|
|
|
|
|
tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
chain input-allow {
|
|
|
|
|
tcp dport 22 accept
|
2023-11-24 09:53:18 +00:00
|
|
|
tcp dport 5432 accept comment "PostgreSQL server"
|
2023-12-14 20:42:58 +00:00
|
|
|
tcp dport 6443 accept comment "k3s"
|
2023-11-08 20:16:51 +00:00
|
|
|
icmp type echo-request accept comment "allow ping"
|
|
|
|
|
icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139). See RFC 4890, section 4.4."
|
|
|
|
|
ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
chain forward-allow {
|
|
|
|
|
type filter hook forward priority filter; policy drop;
|
|
|
|
|
ip daddr 192.168.30.0/24 accept
|
|
|
|
|
}
|
|
|
|
|
}
|
