Nftables Mailserver
Version vom 10. April 2020, 12:28 Uhr von Martin Kirner (Diskussion | Beiträge) (→Stand 10.04.2020)
Noch in Bearbeitung
Stand 10.04.2020
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.4.0/24 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
#tcp dport { ssh } accept comment "accept SSH from all networks"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mail ports: pop3 (143), imap (110), submission (SMTP/587), smtp (25), doveadm (47111)
tcp dport { pop3, imap2, submission, smtp, 47111 } accept;
udp dport { imap2 } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Zurück zu nftables