add firewall rules in nftables.conf

4 years ago · 0f670a3383
parent 6f14e7eb29
commit 0f670a3383
1 changed files with 44 additions and 0 deletions
--- a/config/etc/nftables.conf
+++ b/config/etc/nftables.conf
@ -0,0 +1,44 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0;
+        policy drop;
+
+
+        # allow already established connections (e.g. initiated by this host)
+        add rule ip filter INPUT ct state related,established counter accept
+
+        # allow ICMP
+        add rule ip filter INPUT ip protocol icmp counter accept
+
+        # allow anything on localhost
+        add rule ip filter INPUT iifname "lo" counter accept
+
+        # allow SSH for remote management
+        add rule ip filter INPUT tcp dport 22 counter accept
+
+
+        ## docker
+
+        # cluster management communications
+        add rule ip filter INPUT tcp dport 2377 counter accept
+
+        # communication among nodes
+        add rule ip filter INPUT tcp dport 7946 counter accept
+        add rule ip filter INPUT udp dport 7946 counter accept
+
+        # overlay network traffic
+        add rule ip filter INPUT udp dport 4789 counter accept
+    }
+    chain forward {
+        type filter hook forward priority 0;
+        policy drop;
+    }
+    chain output {
+        type filter hook output priority 0;
+        policy accept;
+    }
+}