forked from google/capirca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsample_nftables.pol
181 lines (153 loc) · 3.67 KB
/
sample_nftables.pol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
#
# This is a WIP example policy for capirca/nftables
# Policy terms will be added as code evolves to handle them.
#
header {
comment:: "Noverbose + custom priority policy example"
target:: nftables mixed OUTPUT 300 noverbose
}
term default-accept {
comment:: "non-protocol specific allow anything test"
action:: accept
}
header {
comment:: "Inbound traffic nftables policy example"
target:: newnftables inet INPUT
}
term allow-anything {
action:: accept
}
header {
comment:: "2 Inbound traffic nftables policy example"
target:: newnftables inet INPUT ACCEPT
}
term allow-anything {
action:: accept
}
header {
comment:: "Outbound dual-stack traffic nftables policy example"
target:: newnftables mixed OUTPUT
}
term default-deny {
action:: deny
}
term full-tuple-term {
source-address:: WEB_SERVERS
source-port:: DNS
destination-address:: GOOGLE_DNS
destination-port:: DNS
protocol:: tcp
action:: accept
}
term ssh-deny {
protocol:: tcp
destination-port:: SSH
destination-port:: DNS
action:: deny
}
term source-address-term {
source-address:: RFC1918 BOGON RESERVED
action:: deny
}
header {
comment:: "Outbound IPv6 traffic nftables policy example"
target:: newnftables inet6 OUTPUT
}
term default-deny {
action:: deny
}
header {
comment:: "Priority outbound IPv6"
target:: newnftables inet6 OUTPUT 100
}
term awesome-term {
comment:: "Awesomeness."
action:: accept
}
term multiline-comment-term {
comment:: "First line of comment."
comment:: "Second line of defense."
comment:: "Third base."
action:: accept
}
term awesome-term3 {
comment:: "Awesomeness."
action:: accept
}
header {
comment:: "This policy expected to test every combination of REQUIRED keywords."
target:: newnftables inet INPUT
}
term test-icmp {
comment:: "Allow ICMP from company."
source-address:: PUBLIC_NAT
protocol:: icmp
action:: accept
}
term test-icmp-type-ip4 {
comment:: "IPv4 icmp-type test"
icmp-type:: echo-request echo-reply
protocol:: icmp
action:: accept
}
term test-icmp-type-ip6 {
comment:: "IPv6 icmp-type test"
icmp-type:: multicast-listener-done router-solicit router-advertisement
protocol:: icmpv6
action:: accept
}
term test-protocol-udp {
comment:: "All UDP traffic for both IPv4 and IPv6."
protocol:: udp
action:: accept
}
term test-protocol-tcp {
comment:: "All UDP traffic for both IPv4 and IPv6."
protocol:: tcp
action:: accept
}
term test-conntrack-established {
comment:: "only permit established connections"
comment:: "implements tcp-established flag if protocol is tcp only"
comment:: "otherwise adds 1024-65535 to required destination-ports"
destination-address:: INTERNAL
protocol:: udp
option:: established
action:: accept
}
term test-conntrack-tcp-replies {
comment:: "only permit established tcp connections, usually checked based on TCP flag settings."
comment:: "If protocol UDP is included in term"
comment:: "only adds 1024-65535 to required destination-ports."
destination-address:: INTERNAL
protocol:: tcp
option:: tcp-established
action:: accept
}
term test-port-snmp {
comment:: "Test SNMP port 161 UDP - No addresses"
protocol:: udp
destination-port:: SNMP
action:: accept
}
term test-src-rdp {
comment:: "Test source port RDP 3389/tcp - No addresses"
protocol:: tcp
source-port:: RDP
logging:: syslog
counter:: somecountername
action:: accept
}
term test-combined-port {
comment:: "Test src/dest 80 - No addresses"
protocol:: tcp
source-port:: HTTP
destination-port:: HTTP
action:: accept
}
term high-ports {
comment:: "Test tcp + udp high ports - No addresses"
protocol:: tcp udp
destination-port:: HIGH_PORTS
action:: accept
}