-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
72 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| # This file was auto generated for machine: 'e0ab02d2-27cd-5a5e-8efc-080ba80cf258' by app version . | ||
| # Do not edit. | ||
| table inet metal { | ||
| chain input { | ||
| type filter hook input priority 0; policy drop; | ||
| meta l4proto ipv6-icmp counter accept comment "icmpv6 input required for neighbor discovery" | ||
| iifname "lo" counter accept comment "BGP unnumbered" | ||
| iifname "lan0" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered input from lan0" | ||
| iifname "lan1" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered input from lan1" | ||
| iifname "lan0" ip saddr 10.0.0.0/8 udp dport 4789 counter accept comment "incoming VXLAN lan0" | ||
| iifname "lan1" ip saddr 10.0.0.0/8 udp dport 4789 counter accept comment "incoming VXLAN lan1" | ||
|
|
||
| ct state established,related counter accept comment "stateful input" | ||
|
|
||
| tcp dport ssh ct state new counter accept comment "SSH incoming connections" | ||
| ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics" | ||
| ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics" | ||
|
|
||
| ct state invalid counter drop comment "drop invalid packets to prevent malicious activity" | ||
| counter jump refuse | ||
| } | ||
| chain forward { | ||
| type filter hook forward priority 0; policy accept; | ||
| ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity" | ||
| counter jump refuse | ||
| } | ||
| chain output { | ||
| type filter hook output priority 0; policy accept; | ||
| meta l4proto ipv6-icmp counter accept comment "icmpv6 output required for neighbor discovery" | ||
| oifname "lo" counter accept comment "lo output required e.g. for chrony" | ||
| oifname "lan0" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered output at lan0" | ||
| oifname "lan1" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered output at lan1" | ||
|
|
||
| ip daddr 10.0.0.0/8 udp dport 4789 counter accept comment "outgoing VXLAN" | ||
|
|
||
| ct state established,related counter accept comment "stateful output" | ||
| ct state invalid counter drop comment "drop invalid packets" | ||
| } | ||
| chain output_ct { | ||
| type filter hook output priority raw; policy accept; | ||
| } | ||
| chain refuse { | ||
| limit rate 2/minute counter log prefix "nftables-metal-dropped: " | ||
| counter drop | ||
| } | ||
| } | ||
| table inet nat { | ||
| set public_dns_servers { | ||
| type ipv4_addr | ||
| flags interval | ||
| auto-merge | ||
| elements = { 8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1 } | ||
| } | ||
|
|
||
| chain prerouting { | ||
| type nat hook prerouting priority 0; policy accept; | ||
| } | ||
| chain prerouting_ct { | ||
| type filter hook prerouting priority raw; policy accept; | ||
| } | ||
| chain input { | ||
| type nat hook input priority 0; policy accept; | ||
| } | ||
| chain output { | ||
| type nat hook output priority 0; policy accept; | ||
| } | ||
| chain postrouting { | ||
| type nat hook postrouting priority 0; policy accept; | ||
| oifname "vlan104009" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: internet-vagrant-lab)" | ||
| oifname "vlan104010" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: mpls-nbg-w8101-test)" | ||
| } | ||
| } |