sonny/debian-setup
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-setup/templates/nftables.j2
sonny 8d8ae8f892 DNS related changes 
- Added hostname provisioning
- Added nsswitch.conf provisioning
- Added systemd-resolved provisioning
2025-03-06 02:49:11 +01:00

52 lines
3.3 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
# vim:set ts=2 sw=2 et:
flush ruleset
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
# allow established/related connections
ct state { established, related } accept
# early drop of invalid connections
ct state invalid drop
# allow from loopback
iifname lo accept
# allow icmp
ip protocol icmp accept
iifname "{{ network_interface }}" tcp dport {{ ssh_port }} accept comment "SSH"
iifname "{{ network_interface }}" tcp dport {{ forgejo_ssh_port }} accept comment "Forgejo SSH"
iifname "{{ network_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"
iifname "{{ network_interface }}" tcp dport {{ transmission_port }} accept comment "Transmission"
iifname "{{ network_interface }}" udp dport {{ vpn_port }} accept comment "Wireguard"
iifname "{{ network_interface }}" udp dport {{ vpn_media_port }} accept comment "Wireguard media"
# TODO: create combined rule
iifname "{{ vpn_interface }}" tcp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS TCP"
iifname "{{ vpn_interface }}" udp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS UDP"
iifname "{{ vpn_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "HTTP/HTTPS"
iifname "{{ vpn_interface }}" tcp dport {{ transmission_web_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Transmission Web"
iifname "{{ vpn_interface }}" tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Syncthing"
iifname "{{ vpn_interface }}" tcp dport {{ mpd_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD"
iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP stream"
iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_mobile_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP mobile stream"
# TODO: create combined rule
iifname "{{ vpn_media_interface }}" tcp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS TCP"
iifname "{{ vpn_media_interface }}" udp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS UDP"
iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_http_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin HTTP"
iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_service_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin service discovery"
iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_client_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin client discovery"
log
}
}
Reference in a new issue View git blame Copy permalink