From 3310a661466d54b6bb1f2e8ee387e7a38f92b2e7 Mon Sep 17 00:00:00 2001 From: Marc Beninca Date: Sun, 21 Jul 2019 17:35:05 +0200 Subject: [PATCH] nftables --- in/personal/server/index.rst | 42 +++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/in/personal/server/index.rst b/in/personal/server/index.rst index a9fc8f7..38eb112 100644 --- a/in/personal/server/index.rst +++ b/in/personal/server/index.rst @@ -183,6 +183,8 @@ Prepare a grub.cfg * net.ipv6.conf.all.forwarding=1 * nftables * nginx +* root/user authorized_keys +* curl * /etc/bash.bashrc * /etc/fstab (/d) @@ -248,8 +250,46 @@ Prepare a grub.cfg :: lxc.include = /var/lib/lxc/config - lxc.mount.entry = /d/lxc/buster d none bind,create=dir,rw 0 0 + lxc.mount.entry = /d/d/buster d none bind,create=dir,rw 0 0 lxc.rootfs.path = dir:/var/lib/lxc/buster lxc.net.0.veth.pair = buster lxc.net.0.ipv4.address = 10.0.0.1/24 lxc.net.0.ipv4.gateway = 10.0.0.254 + +/etc/nftables.conf + +:: + + #! /usr/sbin/nft --file + + flush ruleset + + table inet filter { + chain input { + type filter hook input priority 0; policy accept; + iifname "lo" accept + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + tcp dport ssh accept + tcp dport domain accept + tcp dport http accept + tcp dport https accept + } + chain forward { + type filter hook forward priority 0; policy accept; + } + chain output { + type filter hook output priority 0; policy accept; + } + } + + table ip nat { + chain prerouting { + type nat hook prerouting priority 0; policy accept; + tcp dport 65001 dnat to 10.0.0.1:ssh + } + chain postrouting { + type nat hook postrouting priority 0; policy accept; + masquerade + } + }