blob: fda523add8bb74ad615c2c17c3800058590f6ead [file] [log] [blame]
Zack Williamse695dea2020-11-19 17:17:40 -07001#!/usr/sbin/nft -f
2{#
3SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
4SPDX-License-Identifier: Apache-2.0
5#}
6
7flush ruleset
8
9# Primary rules
10table inet filter {
Zack Williams71e48922020-12-09 13:23:54 -070011 chain input {
Wei-Yu Chen6509d742021-07-29 21:14:51 +080012 type filter hook input priority 0; policy drop;
13
14 # The basic rules to accept ICMP and established connection
15 iif "lo" accept
16 ip protocol icmp accept
17 ct state established,related accept
18 ct state invalid drop
19
20 {% if "services" in netprep_nftables %}
21 ## The service present on this server
22 {% for item in netprep_nftables["services"] %}
23 # For service {{ item["name"] }}
Zack Williams90ad6842021-09-14 15:06:45 -070024 iif "{{ netprep_nftables["internal_if"] }}" {{ item["protocol"] }} dport {{ item["port"]}} accept
Wei-Yu Chen6509d742021-07-29 21:14:51 +080025 {% endfor %}
26 {% endif %}
27
28 # Allow SSH on all interfaces
29 tcp dport ssh accept
30
Wei-Yu Chene5fb4772021-09-09 14:41:07 +080031 {% if "interface_subnets" in netprep_nftables %}
Wei-Yu Chen6509d742021-07-29 21:14:51 +080032 # The ingress traffic restriction of internal networks
Wei-Yu Chene5fb4772021-09-09 14:41:07 +080033 {% for interface in netprep_nftables["interface_subnets"] %}
34 {% for item in netprep_nftables["interface_subnets"][interface] %}
35 iif "{{ interface }}" ip saddr {{ item }} accept
36 {% endfor %}
Wei-Yu Chen6509d742021-07-29 21:14:51 +080037 {% endfor %}
38 {% endif %}
Zack Williams71e48922020-12-09 13:23:54 -070039 }
40 chain forward {
Wei-Yu Chen6509d742021-07-29 21:14:51 +080041 type filter hook forward priority 0; policy accept;
Zack Williams71e48922020-12-09 13:23:54 -070042 }
43 chain output {
Wei-Yu Chen6509d742021-07-29 21:14:51 +080044 type filter hook output priority 0; policy accept;
Zack Williams71e48922020-12-09 13:23:54 -070045 }
Zack Williamse695dea2020-11-19 17:17:40 -070046}
47
48# NAT
49table ip nat {
Zack Williams71e48922020-12-09 13:23:54 -070050 chain prerouting {
51 type nat hook prerouting priority -100;
52 }
Zack Williamse695dea2020-11-19 17:17:40 -070053
Zack Williams71e48922020-12-09 13:23:54 -070054 chain postrouting {
55 type nat hook postrouting priority 100;
Zack Williams90ad6842021-09-14 15:06:45 -070056 oifname "{{ netprep_nftables["external_if"] }}" masquerade;
Wei-Yu Chen6509d742021-07-29 21:14:51 +080057 {% if "ue_routing" in netprep_nftables %}
58 {% for src_subnet in netprep_nftables["ue_routing"]["src_subnets"] %}
59 {% for ue_subnet in netprep_nftables["ue_routing"]["ue_subnets"] %}
60 ip saddr {{ src_subnet }} ip daddr {{ ue_subnet }} counter snat to {{ netprep_nftables["ue_routing"]["snat_addr"] }};
61 {% endfor %}
62 {% endfor %}
63
64 {% endif %}
Zack Williams71e48922020-12-09 13:23:54 -070065 }
Zack Williamse695dea2020-11-19 17:17:40 -070066}