Archived

This repository has been archived on 2024-03-30. You can view files and clone it, but cannot push or open issues or pull requests.

Thorsten Schubert ce777e0bd1

Forward outgoing container/local packets

2020-11-24 17:47:13 +01:00

1.1 KiB

Raw Permalink Blame History

nft-simple-fw

nftables framework ruleset comparting traffic into different zones.
Supports private subnets and vpn interfaces and provides a custom template for nft-blackhole.

Uses performant interface group matching for distinguishing interfaces.

default zone policies

filter zones

public, private, forward: reject
default: reject
vpn, output: accept

Usage

Customize conf.def and the filter zones in zones to your liking if you don't agree with the sane defaults.
Assign interface groups via systemd-networkd (see conf.def), create/edit services.d/{forward,private,public,vpn}/*.nft files for the services you wish to use and load via nft -f fw.nft, or use the supplied systemd service file systemd/nft-fw.service, which expects the files to reside in /etc/nftables.
If you are using nft-blackhole, symlink nft-blackhole/template.nft to /usr/share/nft-blackhole/nft-blackhole.template.

1.1 KiB Raw Permalink Blame History

nft-simple-fw

default zone policies

filter zones

Usage

1.1 KiB

Raw Permalink Blame History