You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44 lines
1.1 KiB
Plaintext
44 lines
1.1 KiB
Plaintext
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
policy drop;
|
|
|
|
|
|
# allow already established connections (e.g. initiated by this host)
|
|
add rule ip filter INPUT ct state related,established counter accept
|
|
|
|
# allow ICMP
|
|
add rule ip filter INPUT ip protocol icmp counter accept
|
|
|
|
# allow anything on localhost
|
|
add rule ip filter INPUT iifname "lo" counter accept
|
|
|
|
# allow SSH for remote management
|
|
add rule ip filter INPUT tcp dport 22 counter accept
|
|
|
|
|
|
## docker
|
|
|
|
# cluster management communications
|
|
add rule ip filter INPUT tcp dport 2377 counter accept
|
|
|
|
# communication among nodes
|
|
add rule ip filter INPUT tcp dport 7946 counter accept
|
|
add rule ip filter INPUT udp dport 7946 counter accept
|
|
|
|
# overlay network traffic
|
|
add rule ip filter INPUT udp dport 4789 counter accept
|
|
}
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
policy drop;
|
|
}
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
policy accept;
|
|
}
|
|
} |