From 0f670a3383d70d140b2b6cbfe444ee42d6d06b22 Mon Sep 17 00:00:00 2001
From: lub <git@lubiland.de>
Date: Sat, 21 Dec 2019 11:16:41 +0100
Subject: [PATCH] add firewall rules in nftables.conf

---
 config/etc/nftables.conf | 44 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 config/etc/nftables.conf

diff --git a/config/etc/nftables.conf b/config/etc/nftables.conf
new file mode 100644
index 0000000..2fc90ff
--- /dev/null
+++ b/config/etc/nftables.conf
@@ -0,0 +1,44 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0;
+        policy drop;
+
+
+        # allow already established connections (e.g. initiated by this host)
+        add rule ip filter INPUT ct state related,established counter accept
+
+        # allow ICMP
+        add rule ip filter INPUT ip protocol icmp counter accept
+
+        # allow anything on localhost
+        add rule ip filter INPUT iifname "lo" counter accept
+
+        # allow SSH for remote management
+        add rule ip filter INPUT tcp dport 22 counter accept
+
+
+        ## docker
+
+        # cluster management communications
+        add rule ip filter INPUT tcp dport 2377 counter accept
+
+        # communication among nodes
+        add rule ip filter INPUT tcp dport 7946 counter accept
+        add rule ip filter INPUT udp dport 7946 counter accept
+
+        # overlay network traffic
+        add rule ip filter INPUT udp dport 4789 counter accept
+    }
+    chain forward {
+        type filter hook forward priority 0;
+        policy drop;
+    }
+    chain output {
+        type filter hook output priority 0;
+        policy accept;
+    }
+}
\ No newline at end of file