Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-07-04 02:01:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
ca7c036e8c
graphene-os-server-infrastr.../nftables-matrix.conf
Daniel Micay 6081f9fa73 allow synapse to connect to nginx via loopback 
For an unknown reason, synapse occasionally tries to connect to
matrix.grapheneos.org which ends up being routed via the loopback
interface. For now, allow this to avoid rejected packets.
2022-07-26 19:30:33 -04:00

74 lines
2.2 KiB
Plaintext
Raw Blame History

#!/usr/bin/nft -f
flush ruleset
table inet filter {
chain prerouting-raw {
type filter hook prerouting priority raw
iif lo notrack accept
tcp dport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept
}
chain output-raw {
type filter hook output priority raw
oif lo notrack accept
tcp sport {22, 80, 443} notrack accept
meta l4proto {icmp, ipv6-icmp} notrack accept
}
chain input {
type filter hook input priority filter
policy drop
iif lo accept
tcp dport {22, 80, 443} ip daddr {{ipv4_address}} accept
tcp dport {22, 80, 443} ip6 daddr {{ipv6_address}} accept
meta l4proto {icmp, ipv6-icmp} accept
ct state vmap { invalid : drop, established : accept, related : accept }
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject
}
chain forward {
type filter hook forward priority filter
policy drop
}
chain output {
type filter hook output priority filter
oif lo goto output-internal
skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter goto output-reject
}
chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 th dport != 8008 accept
skuid {chrony, synapse, matterbridge} meta l4proto {tcp, udp} th sport >= 1024 th sport != 8008 th dport 53 accept
skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 accept
skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 accept
skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 accept
skuid matterbridge tcp sport >= 1024 tcp dport != 8008 tcp dport 443 accept
skuid synapse tcp sport >= 1024 tcp dport != 8008 tcp dport 443 accept
skuid != root counter goto output-reject
accept
}
chain output-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject
}
}
Reference in New Issue View Git Blame Copy Permalink