2023-11-20 12:03:19 +00:00
|
|
|
#!/usr/sbin/nft -f
|
|
|
|
|
|
|
|
flush ruleset
|
|
|
|
|
|
|
|
# Just a temporary filter until we get our shit together policy-wise.
|
|
|
|
table inet filter {
|
|
|
|
set allowed {
|
2024-01-17 18:19:55 +00:00
|
|
|
type ipv4_addr; flags interval
|
|
|
|
elements = { 10.32.0.0/14, 193.2.76.176/24, 192.168.19.0/24, 192.168.251.0/24, 88.200.23.0/24 }
|
|
|
|
}
|
|
|
|
|
|
|
|
set allowed/6 {
|
|
|
|
type ipv6_addr; flags interval
|
|
|
|
elements = { 2001:1470:fffd::/48 }
|
2023-11-20 12:03:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
chain input {
|
|
|
|
type filter hook input priority filter; policy drop
|
|
|
|
|
|
|
|
ct state vmap { invalid : drop, established : accept, related : accept }
|
|
|
|
iif lo accept
|
|
|
|
|
|
|
|
# BGP / BFD sessions
|
|
|
|
iif lan0 ip6 saddr fe80::/64 accept
|
|
|
|
iif lan1 ip6 saddr fe80::/64 accept
|
|
|
|
|
|
|
|
ip saddr @allowed accept
|
2024-01-17 18:19:55 +00:00
|
|
|
ip6 saddr @allowed/6 accept
|
2023-11-20 12:03:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
chain forward {
|
|
|
|
type filter hook forward priority filter; policy accept
|
|
|
|
}
|
|
|
|
|
|
|
|
chain output {
|
|
|
|
type filter hook output priority filter; policy accept
|
|
|
|
}
|
|
|
|
}
|