Nftables Mailserver: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „ Zurück zu nftables“) |
|||
| Zeile 1: | Zeile 1: | ||
== Stand 10.04.2020 == | |||
<pre> | |||
#!/usr/sbin/nft -f | |||
flush ruleset | |||
table inet filter { | |||
set internal_networks_ip4 { | |||
type ipv4_addr | |||
flags interval | |||
auto-merge | |||
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.4.0/24 } | |||
} | |||
chain input { | |||
type filter hook input priority 0; policy drop; | |||
# established/related connections | |||
ct state established,related accept; | |||
# loopback interface | |||
iifname lo accept; | |||
# icmp (ping) | |||
icmp type echo-request accept; | |||
# open sshd (22) for internal networks only | |||
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks" | |||
#tcp dport { ssh } accept comment "accept SSH from all networks" | |||
# open tcp ports: http (80), https (443) | |||
tcp dport { http, https } accept; | |||
# open udp ports: domain (53), openvpn (1194) | |||
udp dport { domain, openvpn } accept; | |||
# mail ports: pop3 (143), imap (110), submission (SMTP/587), smtp (25), doveadm (47111) | |||
tcp dport { pop3, imap2, submission, smtp, 47111 } accept; | |||
udp dport { imap2 } accept; | |||
# mysql (3306) | |||
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks"; | |||
counter comment "count dropped packets" | |||
} | |||
chain forward { | |||
type filter hook forward priority 0; policy drop; | |||
counter comment "count dropped packets" | |||
} | |||
chain output { | |||
type filter hook output priority 0; policy accept; | |||
} | |||
} | |||
</pre> | |||
Zurück zu [[Nftables_(Linux)#Beispielkonfigurationen|nftables]] | Zurück zu [[Nftables_(Linux)#Beispielkonfigurationen|nftables]] | ||
Version vom 10. April 2020, 12:22 Uhr
Stand 10.04.2020
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.4.0/24 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
#tcp dport { ssh } accept comment "accept SSH from all networks"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mail ports: pop3 (143), imap (110), submission (SMTP/587), smtp (25), doveadm (47111)
tcp dport { pop3, imap2, submission, smtp, 47111 } accept;
udp dport { imap2 } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Zurück zu nftables