| #!/usr/sbin/nft -f |
| {# |
| SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org> |
| SPDX-License-Identifier: Apache-2.0 |
| #} |
| |
| flush ruleset |
| |
| # Primary rules |
| table inet filter { |
| chain input { |
| type filter hook input priority 0; policy drop; |
| |
| # The basic rules to accept ICMP and established connection |
| iif "lo" accept |
| ip protocol icmp accept |
| ct state established,related accept |
| ct state invalid drop |
| |
| {% if "services" in netprep_nftables %} |
| ## The service present on this server |
| {% for item in netprep_nftables["services"] %} |
| # For service {{ item["name"] }} |
| iif "{{ netprep_nftables["external_if"] }}" {{ item["protocol"] }} dport {{ item["port"]}} accept |
| {% endfor %} |
| {% endif %} |
| |
| # Allow SSH on all interfaces |
| tcp dport ssh accept |
| |
| {% if "interface_subnets" in netprep_nftables %} |
| # The ingress traffic restriction of internal networks |
| {% for interface in netprep_nftables["interface_subnets"] %} |
| {% for item in netprep_nftables["interface_subnets"][interface] %} |
| iif "{{ interface }}" ip saddr {{ item }} accept |
| {% endfor %} |
| {% endfor %} |
| {% endif %} |
| } |
| chain forward { |
| type filter hook forward priority 0; policy accept; |
| } |
| chain output { |
| type filter hook output priority 0; policy accept; |
| } |
| } |
| |
| # NAT |
| table ip nat { |
| chain prerouting { |
| type nat hook prerouting priority -100; |
| } |
| |
| chain postrouting { |
| type nat hook postrouting priority 100; |
| oifname "{{ netprep_nftables["internal_if"] }}" masquerade; |
| {% if "ue_routing" in netprep_nftables %} |
| {% for src_subnet in netprep_nftables["ue_routing"]["src_subnets"] %} |
| {% for ue_subnet in netprep_nftables["ue_routing"]["ue_subnets"] %} |
| ip saddr {{ src_subnet }} ip daddr {{ ue_subnet }} counter snat to {{ netprep_nftables["ue_routing"]["snat_addr"] }}; |
| {% endfor %} |
| {% endfor %} |
| |
| {% endif %} |
| } |
| } |