From d43c7a9f7b127eeff95735c316719f03f18eecff Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Thu, 16 Jan 2020 01:14:23 +0100
Subject: [PATCH] Add basic server firewalling.

---
 buster/apt-mark/server                    |  2 ++
 buster/etc_files/server/etc/nftables.conf | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100755 buster/etc_files/server/etc/nftables.conf

diff --git a/buster/apt-mark/server b/buster/apt-mark/server
index 81be2dd..8183c9c 100644
--- a/buster/apt-mark/server
+++ b/buster/apt-mark/server
@@ -1,2 +1,4 @@
 # so we can login at all …
 openssh-server
+# firewalling
+nftables
diff --git a/buster/etc_files/server/etc/nftables.conf b/buster/etc_files/server/etc/nftables.conf
new file mode 100755
index 0000000..efbc182
--- /dev/null
+++ b/buster/etc_files/server/etc/nftables.conf
@@ -0,0 +1,20 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+		iif lo accept comment "accept localhost traffic"
+		ct state invalid drop comment "drop invalid connections"
+		ct state established, related accept comment "accept traffic originated from us"
+		tcp dport 22 accept comment "accept SSH on default port"
+		ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
+	}
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+	}
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}
-- 
2.30.2