Pim Kunis
1c0e4794a8
add additional SAN to k3s certificates update README with k8s certificate instructions open port for kubectl
28 lines
1.1 KiB
Text
28 lines
1.1 KiB
Text
table inet nixos-fw {
|
|
chain rpfilter {
|
|
type filter hook prerouting priority mangle + 10; policy drop;
|
|
meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server"
|
|
fib saddr . mark . iif oif exists accept
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority filter; policy drop;
|
|
iifname "lo" accept comment "trusted interfaces"
|
|
ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow }
|
|
tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info
|
|
}
|
|
|
|
chain input-allow {
|
|
tcp dport 22 accept
|
|
tcp dport 5432 accept comment "PostgreSQL server"
|
|
tcp dport 6443 accept comment "k3s"
|
|
icmp type echo-request accept comment "allow ping"
|
|
icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139). See RFC 4890, section 4.4."
|
|
ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client"
|
|
}
|
|
|
|
chain forward-allow {
|
|
type filter hook forward priority filter; policy drop;
|
|
ip daddr 192.168.30.0/24 accept
|
|
}
|
|
}
|