diff --git a/config/etc/nftables.conf b/config/etc/nftables.conf index e970f48..4d40ea4 100644 --- a/config/etc/nftables.conf +++ b/config/etc/nftables.conf @@ -2,42 +2,70 @@ flush ruleset -table inet filter { - chain input { +# don't use inet instead of ip&ip6, +# because Docker doesn't support it, yet +# see https://maximilianehlers.com/blog/nftables-and-docker/ for more details + +table ip filter { + chain INPUT { type filter hook input priority 0; policy drop; # allow already established connections (e.g. initiated by this host) - ct state related,established counter accept + ct state related,established accept # allow ICMP - ip protocol icmp counter accept + ip protocol icmp accept # allow anything on localhost - iifname "lo" counter accept + iifname "lo" accept # allow SSH for remote management - tcp dport 22 counter accept + tcp dport 22 accept ## docker # cluster management communications - tcp dport 2377 counter accept + tcp dport 2377 accept # communication among nodes - tcp dport 7946 counter accept - udp dport 7946 counter accept + tcp dport 7946 accept + udp dport 7946 accept # overlay network traffic - udp dport 4789 counter accept + udp dport 4789 accept } - chain forward { + chain FORWARD { type filter hook forward priority 0; policy drop; } - chain output { + chain OUTPUT { + type filter hook output priority 0; + policy accept; + } +} +table ip6 filter { + chain INPUT { + type filter hook input priority 0; + policy drop; + + + # allow already established connections (e.g. initiated by this host) + ct state related,established accept + + # allow ICMPv6 + ip6 nexthdr icmpv6 accept + + # allow anything on localhost + iifname "lo" accept + } + chain FORWARD { + type filter hook forward priority 0; + policy drop; + } + chain OUTPUT { type filter hook output priority 0; policy accept; }