Nftables Mailserver

Aus Tutorials
Zur Navigation springen Zur Suche springen

Noch in Bearbeitung


Stand 10.04.2020

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  set internal_networks_ip4 {
    type ipv4_addr
    flags interval
    auto-merge
    elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.4.0/24 }
  }

  chain input {
    type filter hook input priority 0; policy drop;

    # established/related connections
    ct state established,related accept;

    # loopback interface
    iifname lo accept;

    # icmp (ping)
    icmp type echo-request accept;

    # open sshd (22) for internal networks only
    tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
    #tcp dport { ssh } accept comment "accept SSH from all networks"

    # open tcp ports: http (80), https (443)
    tcp dport { http, https } accept;

    # open udp ports: domain (53), openvpn (1194)
    udp dport { domain, openvpn } accept;

    # mail ports: pop3 (143), imap (110), submission (SMTP/587), smtp (25), doveadm (47111)
    tcp dport { pop3, imap2, submission, smtp, 47111 } accept;
    udp dport { imap2 } accept;

    # mysql (3306)
    meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";

    counter comment "count dropped packets"
  }


  chain forward {
    type filter hook forward priority 0; policy drop;
    counter comment "count dropped packets"
  }

  chain output {
    type filter hook output priority 0; policy accept;
  }
}


Zurück zu nftables