debug-XMPP-file-upload/nftables.conf

65 lines
1.2 KiB
Plaintext
Raw Normal View History

2018-03-25 18:59:31 +02:00
#!/usr/bin/env nft -f
flush ruleset
table ip Inet4 {
chain NAT_in {
type nat hook prerouting priority -100
# Trusted hosts
tcp dport 443 ip saddr 192.168.1.96/29 redirect to 444
}
chain NAT_out {
type nat hook postrouting priority 100
ct status dnat masquerade
}
chain FilterIn {
type filter hook input priority 0
policy drop
# allow established/related connections
ct state {established, related} accept
# early drop of invalid connections
ct state invalid drop
# allow from loopback
meta iif lo accept
# allow icmp
ip protocol icmp accept
# trusted https
ct status dnat accept
# https
tcp dport 443 accept
# xmpp client
tcp dport 5222 accept
# xmpp server
tcp dport 5269 accept
# xmpp components
tcp dport 5347 accept
}
chain FilterOut {
type filter hook output priority 0
policy drop
ct state {established, related} accept
meta oif lo accept
# DNS
ip daddr 80.67.169.12 accept
ip daddr 80.67.169.40 accept
ip daddr 87.98.175.85 accept
ip daddr 5.135.183.146 accept
ip daddr 8.8.8.8 accept
meta skuid prosody accept
}
}