introduce a new cookbook: nftables

4 weeks ago · 3f1dc105fd
5 changed files with 73 additions and 0 deletions
--- a/cookbooks/nftables/Makefile
+++ b/cookbooks/nftables/Makefile
@ -0,0 +1,14 @@
+##
+## Makefile for nftables quadlet
+##
+
+# Additional nftables directories and files
+TARGET_FILES += $(TARGET_CHROOT)/etc/sysconfig/nftables.conf
+$(TARGET_CHROOT)/etc/sysconfig/nftables.conf: other/nftables.conf
+	install -D -o root -g root -m 755 $< $@
+
+SYSTEMD_MAIN_UNIT_NAMES = nftables.service
+
+# Include common Makefile
+include ../../scripts/common.mk
+
--- a/cookbooks/nftables/config/00-global.nft
+++ b/cookbooks/nftables/config/00-global.nft
@ -0,0 +1,46 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet itix-fw {
+    chain input {
+        type filter hook input priority filter + 20
+        policy drop
+
+        ct state invalid counter drop
+        ct state { established, related } counter accept
+
+        # Loopback
+        iifname lo counter accept
+    }
+
+    chain output {
+        type filter hook output priority filter + 20
+        policy drop
+
+        ct state invalid counter drop
+        ct state { established, related } counter accept
+
+        # Loopback
+        oifname lo counter accept
+    }
+
+    chain forward {
+        type filter hook forward priority filter + 20
+        policy drop
+
+        # Loopback
+        iifname lo oifname lo counter accept
+    }
+}
+
+table inet itix-nat {
+    chain prerouting {
+        type nat hook prerouting priority dstnat + 20
+        policy accept
+    }
+    chain postrouting {
+        type nat hook postrouting priority srcnat + 20
+        policy accept
+    }
+}
--- a/cookbooks/nftables/config/20-standard-rules.nft
+++ b/cookbooks/nftables/config/20-standard-rules.nft
@ -0,0 +1,7 @@
+#!/usr/sbin/nft -f
+
+# Enable SSH connections from anywhere
+add rule inet itix-fw input tcp dport 22 counter accept
+
+# Allow outgoing connections
+add rule inet itix-fw output counter accept
--- a/cookbooks/nftables/hooks.mk
+++ b/cookbooks/nftables/hooks.mk
@ -0,0 +1,5 @@
+# Nftables configuration files
+TARGET_NFTABLES_FILES = $(patsubst other/nftables/%, $(TARGET_CHROOT)/etc/quadlets/nftables/%, $(wildcard other/nftables/*))
+TARGET_EXAMPLE_FILES += $(TARGET_NFTABLES_FILES)
+$(TARGET_CHROOT)/etc/quadlets/nftables/%: other/nftables/%
+	install -m 0644 -o root -g root $< $@
--- a/cookbooks/nftables/other/nftables.conf
+++ b/cookbooks/nftables/other/nftables.conf
@ -0,0 +1 @@
+include "/etc/quadlets/nftables/*.nft"