Add mail server setup scripting.

[config] / buster / etc_files / mail / etc / nftables.conf

diff --git a/buster/etc_files/mail/etc/nftables.conf b/buster/etc_files/mail/etc/nftables.conf
new file mode 100755 (executable)
index 0000000..747d214
--- /dev/null
+++ b/buster/etc_files/mail/etc/nftables.conf
@@ -0,0 +1,24 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+       chain input {
+               type filter hook input priority 0; policy drop;
+               iif lo accept comment "accept localhost traffic"
+               ct state invalid drop comment "drop invalid connections"
+               ct state established, related accept comment "accept traffic originated from us"
+               tcp dport 22 accept comment "accept SSH on default port"
+               tcp dport 25 accept comment "accept SMTP (allowing for STARTTLS); necessary for mail server to mail server banter, i.e. for receiving mails"
+               tcp dport 80 accept comment "accept HTTP; necessary for Certbot HTTP challenge"
+               tcp dport 465 accept comment "accept SMTPS; for mail user agent to mail server, i.e. for sending mails"
+               tcp dport 993 accept comment "accept IMAPS; for reading/downloading mails"
+               ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
+       }
+       chain forward {
+               type filter hook forward priority 0; policy drop;
+       }
+       chain output {
+               type filter hook output priority 0; policy accept;
+       }
+}