Révision 7940fb07
Adapt readme to the refactoring
| README.md | ||
|---|---|---|
| 5 | 5 |
By default it sets up a firewall that drops every incoming |
| 6 | 6 |
and outgoing connection. |
| 7 | 7 |
|
| 8 |
It only allows outgoing dns,ntp and web traffic. |
|
| 8 |
It only allows outgoing dns, ntp and web and ingoing ssh |
|
| 9 |
traffic. |
|
| 9 | 10 |
|
| 10 | 11 |
The config file has a inet filter and a ip nat table setup. |
| 11 | 12 |
|
| ... | ... | |
| 24 | 25 |
`custom-*.nft` files before hand. |
| 25 | 26 |
|
| 26 | 27 |
The filter and NAT tables both have all the master chains |
| 27 |
(INPUT,OUTPUT,FORWARD) configured, to which you can hook |
|
| 28 |
in your own chains that can contain specific rules. |
|
| 28 |
(INPUT, OUTPUT, FORWARD in case of filter and PREROUTING |
|
| 29 |
and POSTROUTING in case of NAT) configured, to which you |
|
| 30 |
can hook in your own chains that can contain specific |
|
| 31 |
rules. |
|
| 29 | 32 |
|
| 30 | 33 |
All filter masterchains drop by default. |
| 31 | 34 |
By default we have a set of default_MASTERCHAIN chains |
| ... | ... | |
| 36 | 39 |
There is a global chain, that defines the default behavior |
| 37 | 40 |
for all masterchains. |
| 38 | 41 |
|
| 39 |
INPUT and OUTPUT to the loopback device is allowed by default,
|
|
| 40 |
though you could restrict it later. |
|
| 42 |
INPUT and OUTPUT to the loopback device is allowed by |
|
| 43 |
default, though you could restrict it later.
|
|
| 41 | 44 |
|
| 42 | 45 |
### nftables::config |
| 43 | 46 |
|
| ... | ... | |
| 45 | 48 |
|
| 46 | 49 |
Use this for any custom table files. |
| 47 | 50 |
|
| 48 |
## nftables::chain_file
|
|
| 51 |
## nftables::chain |
|
| 49 | 52 |
|
| 50 |
Prepares a chain file as a `concat` file to which you will be
|
|
| 51 |
able to add dedicated rules through `concat::fragments`.
|
|
| 53 |
Prepares a chain file as a `concat` file to which you will |
|
| 54 |
be able to add dedicated rules through `nftables::rule`.
|
|
| 52 | 55 |
|
| 53 |
The name must follow the pattern `TABLE@chain_name`, e.g. |
|
| 54 |
`filter@my_chain`. This will a) prepare a snippet defining |
|
| 55 |
the chain, that will be included in the filter table. |
|
| 56 |
The name must be unique for all chains. The inject |
|
| 57 |
parameter can be used to directly add a jump to a |
|
| 58 |
masterchain. inject must follow the pattern |
|
| 59 |
`ORDER-MASTERCHAIN`, where order references a 2-digit |
|
| 60 |
number which defines the rule order (by default use e.g. 20) |
|
| 61 |
and masterchain references the chain to hook in the new |
|
| 62 |
chain. |
|
| 56 | 63 |
|
| 57 |
This define is more intended as a helper to setup chains |
|
| 58 |
that will be used for the different tables, through their |
|
| 59 |
own defines. See `nftables::filter::chain` as an example. |
|
| 64 |
## nftables::rule |
|
| 60 | 65 |
|
| 61 |
## nftables::filter::chain |
|
| 62 |
|
|
| 63 |
This setups a chain for the filter table. You will be able |
|
| 64 |
to add rules to that chain by using `nftables::filter::chain::rule`. |
|
| 65 |
|
|
| 66 |
The name must follow the pattern: `MASTERCHAIN-new_chain_name`, which |
|
| 67 |
defines to which masterchain that custom chain should be hooked into. |
|
| 68 |
|
|
| 69 |
new_chain_name must be unique for all chains. |
|
| 70 |
|
|
| 71 |
There is automatically a `jump` instruction added to the masterchain, |
|
| 72 |
with the order preference. |
|
| 73 |
|
|
| 74 |
## nftables::filter::chain::rule |
|
| 75 |
|
|
| 76 |
A simple way to add rules to your custom chain. The name must be: |
|
| 77 |
`CHAIN_NAME-rulename`, where CHAIN_NAME refers to your chain and |
|
| 78 |
an arbitrary name for your rule. |
|
| 79 |
The rule will be a `concat::fragment` to the chain `concat`. |
|
| 66 |
A simple way to add rules to any chain. The name must be: |
|
| 67 |
`CHAIN_NAME-rulename`, where CHAIN_NAME refers to your |
|
| 68 |
chain and an arbitrary name for your rule. |
|
| 69 |
The rule will be a `concat::fragment` to the chain |
|
| 70 |
`CHAIN_NAME`. |
|
| 80 | 71 |
|
| 81 | 72 |
You can define the order by using the `order` param. |
Formats disponibles : Unified diff