add firewall rules in nftables.conf
parent
6f14e7eb29
commit
0f670a3383
@ -0,0 +1,44 @@
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
policy drop;
|
||||
|
||||
|
||||
# allow already established connections (e.g. initiated by this host)
|
||||
add rule ip filter INPUT ct state related,established counter accept
|
||||
|
||||
# allow ICMP
|
||||
add rule ip filter INPUT ip protocol icmp counter accept
|
||||
|
||||
# allow anything on localhost
|
||||
add rule ip filter INPUT iifname "lo" counter accept
|
||||
|
||||
# allow SSH for remote management
|
||||
add rule ip filter INPUT tcp dport 22 counter accept
|
||||
|
||||
|
||||
## docker
|
||||
|
||||
# cluster management communications
|
||||
add rule ip filter INPUT tcp dport 2377 counter accept
|
||||
|
||||
# communication among nodes
|
||||
add rule ip filter INPUT tcp dport 7946 counter accept
|
||||
add rule ip filter INPUT udp dport 7946 counter accept
|
||||
|
||||
# overlay network traffic
|
||||
add rule ip filter INPUT udp dport 4789 counter accept
|
||||
}
|
||||
chain forward {
|
||||
type filter hook forward priority 0;
|
||||
policy drop;
|
||||
}
|
||||
chain output {
|
||||
type filter hook output priority 0;
|
||||
policy accept;
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue