From 13009283c0964210348a592c616b35fc9188d576 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C5=A1per=20Fele-=C5=BDor=C5=BE?= Date: Tue, 10 Sep 2024 15:40:16 +0200 Subject: [PATCH] proxmox-backup add nftables template --- .../proxmox-backup/templates/nftables.conf.j2 | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 roles/proxmox-backup/templates/nftables.conf.j2 diff --git a/roles/proxmox-backup/templates/nftables.conf.j2 b/roles/proxmox-backup/templates/nftables.conf.j2 new file mode 100644 index 0000000..aff70a9 --- /dev/null +++ b/roles/proxmox-backup/templates/nftables.conf.j2 @@ -0,0 +1,51 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; policy drop + + ct state vmap { invalid : drop, established : accept, related : accept } + iif lo accept + + ip protocol icmp icmp type { + echo-request, echo-reply, destination-unreachable, + parameter-problem, time-exceeded, + } accept comment "accept some ICMPv4" + + ip6 nexthdr icmpv6 icmpv6 type { + echo-request, echo-reply, destination-unreachable, + packet-too-big, parameter-problem, time-exceeded, + } accept comment "accept some ICMPv6" + + # BGP / BFD sessions + iif lan0 ip6 saddr fe80::/64 accept + iif lan1 ip6 saddr fe80::/64 accept + + iifname mgmt accept comment "management access" + + meta nfproto ipv6 tcp dport 80 accept comment "for certificate renewal" + +{% for service in services %} +{% set prefixes = service | allowed_prefixes %} +{% set ports = service.ports | compact_numlist %} + # service {{ service.name }} +{% if prefixes | ipv4 %} + ip saddr { {{ prefixes | ipv4 | join(', ') }} } tcp dport { {{ ports }} } accept +{% endif %} +{% if prefixes | ipv6 %} + ip6 saddr { {{ prefixes | ipv6 | join(', ') }} } tcp dport { {{ ports }} } accept +{% endif %} + +{% endfor %} + } + + chain forward { + type filter hook forward priority filter; policy drop + } + + chain output { + type filter hook output priority filter; policy accept + } +}