Last active
May 20, 2022 09:02
-
-
Save prasmussen/ecaa5c93cb8f2f33e0286a6de68ad7c1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| net.ipv4.ip_forward=1 | |
| net.ipv6.conf.default.forwarding=1 | |
| net.ipv6.conf.6rdtun.forwarding=1 | |
| net.ipv6.conf.all.forwarding=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| interface=eno1 | |
| dhcp-range=10.0.0.100,10.0.0.200,12h |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name=eno1.102 | |
| Kind=vlan | |
| [VLAN] | |
| Id=102 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Match] | |
| Name=eno1.102 | |
| [Network] | |
| DHCP=ipv4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Match] | |
| Name=eno1 | |
| [Network] | |
| Address=10.0.0.1/24 | |
| VLAN=eno1.102 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/nft -f | |
| define internal_nic = eno1 | |
| define external_nic = eno1.102 | |
| table inet filter { | |
| chain input { | |
| type filter hook input priority 0; | |
| # allow established/related connections | |
| ct state { established, related } accept | |
| # early drop of invalid connections | |
| ct state invalid drop | |
| # allow from loopback and internal nic | |
| iifname { lo, $internal_nic } accept | |
| # allow icmp | |
| ip protocol icmp accept | |
| ip6 nexthdr icmpv6 accept | |
| # open port 22, but only allow 2 new connections per minute from each ip | |
| tcp dport 22 ct state new flow table ssh-ftable { ip saddr limit rate 2/minute } accept | |
| # everything else | |
| reject with icmp type port-unreachable | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; | |
| # allow from loopback and internal nic | |
| iifname { lo, $internal_nic } accept | |
| # allow established/related connections | |
| oifname $internal_nic ct state { established, related } accept | |
| # Drop everything else | |
| drop | |
| } | |
| chain output { | |
| type filter hook output priority 0; | |
| } | |
| } | |
| table ip nat { | |
| chain prerouting { | |
| type nat hook prerouting priority 0 | |
| } | |
| chain postrouting { | |
| type nat hook postrouting priority 0 | |
| oifname $external_nic masquerade | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nameserver 8.8.8.8 | |
| nameserver 8.8.4.4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment