home · contact · privacy
projects / config / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a993e01)
Add basic server firewalling.
authorChristian Heller <c.heller@plomlompom.de>
Thu, 16 Jan 2020 00:14:23 +0000 (01:14 +0100)
committerChristian Heller <c.heller@plomlompom.de>
Thu, 16 Jan 2020 00:14:23 +0000 (01:14 +0100)
buster/apt-mark/server patch | blob | history
buster/etc_files/server/etc/nftables.conf [new file with mode: 0755] patch | blob

diff --git a/buster/apt-mark/server b/buster/apt-mark/server
index 81be2dd515ac77d61b837430eb922172562495ea..8183c9cb7cc534f39f4a43700a70d4c934f3b610 100644 (file)
--- a/buster/apt-mark/server
+++ b/buster/apt-mark/server
@@ -1,2 +1,4 @@
 # so we can login at all …
 openssh-server
+# firewalling
+nftables
diff --git a/buster/etc_files/server/etc/nftables.conf b/buster/etc_files/server/etc/nftables.conf
new file mode 100755 (executable)
index 0000000..efbc182
--- /dev/null
+++ b/buster/etc_files/server/etc/nftables.conf
@@ -0,0 +1,20 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+       chain input {
+               type filter hook input priority 0; policy drop;
+               iif lo accept comment "accept localhost traffic"
+               ct state invalid drop comment "drop invalid connections"
+               ct state established, related accept comment "accept traffic originated from us"
+               tcp dport 22 accept comment "accept SSH on default port"
+               ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
+       }
+       chain forward {
+               type filter hook forward priority 0; policy drop;
+       }
+       chain output {
+               type filter hook output priority 0; policy accept;
+       }
+}
Unnamed repository; edit this file 'description' to name the repository.