Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-01-03 11:00:49 -05:00
Code Issues Packages Projects Releases Wiki Activity

nftables: filter input service traffic by dst addr

Browse Source
This commit is contained in:
Daniel Micay 2022-07-21 19:30:45 -04:00
parent fdf21af1ae
commit ad6e998ec2
6 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nftables-attestation.conf
View File

@ -24,7 +24,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

3
nftables-discuss.conf
View File

@ -24,7 +24,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

6
nftables-dns.conf
View File

@ -26,8 +26,10 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
udp dport 53 accept udp dport 53 ip daddr {{ipv4_address}} accept
tcp dport {22, 53} accept udp dport 53 ip6 daddr {{ipv6_address}} accept
tcp dport {22, 53} ip daddr {{ipv4_address}} accept
tcp dport {22, 53} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

3
nftables-mail.conf
View File

@ -24,7 +24,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 25, 80, 465, 993} accept tcp dport {22, 25, 80, 465, 993} ip daddr {{ipv4_address}} accept
tcp dport {22, 25, 80, 465, 993} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

3
nftables-matrix.conf
View File

@ -24,7 +24,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

3
nftables-web.conf
View File

@ -24,7 +24,8 @@ table inet filter {
policy drop policy drop
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }