concept-ha-fw-nftables/nftables.conf

54 lines
1.3 KiB
Plaintext
Raw Normal View History

2019-06-23 21:50:09 +02:00
#!/usr/sbin/nft -f
flush ruleset
define iface_intern = enp0s3
define iface_extern = enp0s8
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif lo accept
ct state established,related counter accept
}
chain output {
type filter hook output priority 0; policy drop;
counter accept comment "Allow all outbound traffic for FW"
}
chain global_deny {
counter
}
chain global_accept {
icmp type echo-request accept
counter
}
chain forward_traffic_in {
type filter hook forward priority 0; policy drop;
ct state established,related counter accept comment "Accept already allowed traffic"
jump global_deny
jump global_accept
iif $iface_intern counter goto from_intern
iif $iface_extern counter goto from_extern
counter log prefix "DROP forward_traffic_in " drop
}
chain forward_traffic_out {
oif $iface_intern counter goto into_intern
oif $iface_extern counter goto into_extern
counter log prefix "DROP forward_traffic_out " drop
}
chain from_intern {
counter log prefix "DROP from_intern " drop
}
chain into_intern {
counter accept
counter log prefix "DROP into_intern " drop
}
chain from_extern {
counter log prefix "DROP from_extern " drop
}
chain into_extern {
counter accept
counter log prefix "DROP into_extern " drop
}
}