Initial commit

2026-03-16 22:18:16 +01:00
commit f806c8046c
7 changed files with 103 additions and 0 deletions
--- a/etc_conf/daemon.json
+++ b/etc_conf/daemon.json
@@ -0,0 +1,5 @@
+{
+  "default-address-pools": [
+    {"base": "172.16.0.0/13", "size": 24}
+  ]
+}
--- a/etc_conf/nftables.conf
+++ b/etc_conf/nftables.conf
@@ -0,0 +1,33 @@
+#!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+
+destroy table inet filter
+destroy table ip filter-custom
+
+table inet filter {
+  chain input {
+    type filter hook input priority filter
+    policy drop
+
+    ct state invalid drop comment "early drop of invalid connections"
+    ct state {established, related} accept comment "allow tracked connections"
+    iif lo accept comment "allow from loopback"
+    ip protocol icmp accept comment "allow icmp"
+    meta l4proto ipv6-icmp accept comment "allow icmp v6"
+    tcp dport ssh accept comment "allow sshd"
+    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
+    counter
+  }
+
+  chain forward {
+    type filter hook forward priority filter + 1; policy drop;
+  }
+}
+
+table ip filter-custom {
+  chain forward {
+    type filter hook forward priority filter - 1; policy accept;
+    ct state established,related accept
+    ip saddr 172.16.0.0/12 ip daddr 192.168.0.0/16 drop
+  }
+}