mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-09-18 11:44:47 -04:00
nftables: friendlier output traffic filtering
This commit is contained in:
Daniel Micay
parent
3ca0c347c6
commit
e0ab41c4f4
6 changed files with 42 additions and 6 deletions
|
|
@ -47,6 +47,12 @@ table inet filter {
|
|||
|
||||
oif lo accept
|
||||
|
||||
skuid != {root, systemd-network, chrony, unbound, http, attestation} counter reject
|
||||
skuid != {root, systemd-network, chrony, unbound, http, attestation} counter goto output-reject
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,6 +47,12 @@ table inet filter {
|
|||
|
||||
oif lo accept
|
||||
|
||||
skuid != {root, systemd-network, chrony, unbound, http, flarum} counter reject
|
||||
skuid != {root, systemd-network, chrony, unbound, http, flarum} counter goto output-reject
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -50,6 +50,12 @@ table inet filter {
|
|||
|
||||
oif lo accept
|
||||
|
||||
skuid != {root, systemd-network, chrony, unbound, powerdns} counter reject
|
||||
skuid != {root, systemd-network, chrony, unbound, powerdns} counter goto output-reject
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,6 +47,12 @@ table inet filter {
|
|||
|
||||
oif lo accept
|
||||
|
||||
skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter reject
|
||||
skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter goto output-reject
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,6 +47,12 @@ table inet filter {
|
|||
|
||||
oif lo accept
|
||||
|
||||
skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter reject
|
||||
skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter goto output-reject
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,6 +47,12 @@ table inet filter {
|
|||
|
||||
oif lo accept
|
||||
|
||||
skuid != {root, systemd-network, chrony, unbound, http} counter reject
|
||||
skuid != {root, systemd-network, chrony, unbound, http} counter goto output-reject
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue