49 lines
1.0 KiB
Plaintext
49 lines
1.0 KiB
Plaintext
#!/usr/sbin/nft -f
|
|
|
|
#
|
|
# Static firewall template.
|
|
# This file contains shell-style placeholders ($VARS) that are replaced by fw-apply via envsubst.
|
|
#
|
|
# Important:
|
|
# - We only manage table inet fw_static.
|
|
# - We do NOT flush the entire ruleset (fail2ban rules remain intact).
|
|
|
|
table inet fw_static {
|
|
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
policy drop;
|
|
|
|
iif "lo" accept
|
|
ct state established,related accept
|
|
|
|
# Public: ICMP (optional)
|
|
$ICMP_PUBLIC_IN_RULES
|
|
# Public: SSH IN (optional)
|
|
$SSH_PUBLIC_IN_RULE
|
|
# Private network (in)
|
|
iif "$PRIV_IF" ip saddr $PRIV_NET accept
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
policy drop;
|
|
|
|
oif "lo" accept
|
|
ct state established,related accept
|
|
|
|
# Public: ICMP (optional)
|
|
$ICMP_PUBLIC_OUT_RULES
|
|
# Public: APT OUT (optional) - includes DNS + HTTP/HTTPS
|
|
$APT_PUBLIC_OUT_RULES
|
|
# Private network (out)
|
|
oif "$PRIV_IF" ip daddr $PRIV_NET accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
policy drop;
|
|
}
|
|
}
|
|
|