blob: c66cc9f0a2a1a915a2bc346d2c42e69fef654266 [file] [log] [blame]
#!/usr/sbin/nft -f
{#
SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
SPDX-License-Identifier: Apache-2.0
#}
flush ruleset
# Primary rules
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# The basic rules to accept ICMP and established connection
iif "lo" accept
ip protocol icmp accept
ct state established,related accept
ct state invalid drop
{% if "services" in netprep_nftables %}
## The service present on this server
{% for item in netprep_nftables["services"] %}
# For service {{ item["name"] }}
iif "{{ netprep_nftables["internal_if"] }}" {{ item["protocol"] }} dport {{ item["port"]}} accept
{% endfor %}
{% endif %}
# Allow SSH on all interfaces
tcp dport ssh accept
# Allow IPsec ports on external interface
iif "{{ netprep_nftables["external_if"] }}" udp dport 500 accept
iif "{{ netprep_nftables["external_if"] }}" udp dport 4500 accept
{% if "interface_subnets" in netprep_nftables %}
# The ingress traffic restriction of internal networks
{% for interface in netprep_nftables["interface_subnets"] %}
{% for item in netprep_nftables["interface_subnets"][interface] %}
iif "{{ interface }}" ip saddr {{ item }} accept
{% endfor %}
{% endfor %}
{% endif %}
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority -100;
}
chain postrouting {
type nat hook postrouting priority 100;
oifname "{{ netprep_nftables["external_if"] }}" masquerade;
{% if "ue_routing" in netprep_nftables -%}
{%- for src_subnet in netprep_nftables["ue_routing"]["src_subnets"] -%}
{%- for ue_subnet in netprep_nftables["ue_routing"]["ue_subnets"] %}
ip saddr {{ src_subnet }} ip daddr {{ ue_subnet }} counter snat to {{ netprep_nftables["ue_routing"]["snat_addr"] }};
{% endfor %}
{% endfor %}
{% endif %}
{% if "acc_routing" in netprep_nftables -%}
{%- for src_subnet in netprep_nftables["acc_routing"]["src_subnets"] -%}
{%- for acc_subnet in netprep_nftables["acc_routing"]["acc_subnets"] %}
ip saddr {{ src_subnet }} ip daddr {{ acc_subnet }} counter snat to {{ netprep_nftables["acc_routing"]["snat_addr"] }};
{% endfor %}
{% endfor %}
{% endif %}
}
}