Added range example, more comments
This commit is contained in:
parent
4580f9066a
commit
7d8bb3490a
|
|
@ -1,37 +1,103 @@
|
||||||
#!/usr/sbin/nft -f
|
#!/usr/sbin/nft -f
|
||||||
|
#
|
||||||
|
# Example nftables config for:
|
||||||
|
# - Public web ports (80/443) via Traefik
|
||||||
|
# - SSH + AI services accessible ONLY over ZeroTier (zt+)
|
||||||
|
# - Default deny for everything else
|
||||||
|
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adjust these to match your system
|
||||||
|
#
|
||||||
|
define wan_if = "eno1" # WAN interface (optional use; mainly for clarity)
|
||||||
|
define vpn_if_pref = "zt+" # ZeroTier interfaces start with "zt"
|
||||||
|
# define lan_if = "br0" # If you later want LAN-specific rules
|
||||||
|
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
|
|
||||||
|
#
|
||||||
|
# Named sets for ports
|
||||||
|
#
|
||||||
|
|
||||||
|
# Ports allowed *only* over ZeroTier (VPN) interface(s)
|
||||||
|
set zt_tcp_ports {
|
||||||
|
type inet_service
|
||||||
|
comment "SSH + AI services via ZeroTier only"
|
||||||
|
elements = {
|
||||||
|
22, # SSH
|
||||||
|
7860, # Stable Diffusion
|
||||||
|
8000, # vLLM or similar
|
||||||
|
8080-8089, # Llamafile, Sandbox UIs, etc. (range example)
|
||||||
|
8501, # Sandbox Fusion / Streamlit-style
|
||||||
|
11434 # Ollama
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Ports allowed on WAN (public Internet)
|
||||||
|
set wan_tcp_ports {
|
||||||
|
type inet_service
|
||||||
|
comment "Public-facing services (Traefik, etc.)"
|
||||||
|
elements = {
|
||||||
|
80, # HTTP (redirect to HTTPS)
|
||||||
|
443 # HTTPS
|
||||||
|
# Add mail etc. here if you ever expose them:
|
||||||
|
# 25, 465, 587, 993
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 0;
|
type filter hook input priority 0;
|
||||||
|
|
||||||
|
#
|
||||||
|
# Baseline allow rules
|
||||||
|
#
|
||||||
|
|
||||||
|
# Allow loopback
|
||||||
iif lo accept
|
iif lo accept
|
||||||
|
|
||||||
|
# Allow established/related
|
||||||
ct state established,related accept
|
ct state established,related accept
|
||||||
|
|
||||||
|
# ICMP (ping, path MTU, etc.)
|
||||||
ip protocol icmp accept
|
ip protocol icmp accept
|
||||||
ip6 nexthdr icmpv6 accept
|
ip6 nexthdr icmpv6 accept
|
||||||
|
|
||||||
# SSH via ZeroTier only (interfaces starting with zt)
|
#
|
||||||
iifname "zt+" tcp dport 22 accept
|
# Interface/port-specific rules
|
||||||
|
#
|
||||||
|
|
||||||
# Public web via Traefik
|
# --- ZeroTier-only services (SSH + AI stack) ---
|
||||||
tcp dport { 80, 443 } accept
|
# Any TCP port in @zt_tcp_ports is allowed only when coming
|
||||||
|
# from an interface whose name starts with "zt".
|
||||||
|
iifname $vpn_if_pref tcp dport @zt_tcp_ports accept
|
||||||
|
|
||||||
# Example: AI services only accessible via ZeroTier
|
# --- Public web (Traefik) ---
|
||||||
iifname "zt+" tcp dport { 7860,8080,11434,8000,8501 } accept
|
# Allow HTTP/HTTPS on any interface (typically WAN),
|
||||||
|
# but you could restrict to $wan_if if you want:
|
||||||
|
# iifname $wan_if tcp dport @wan_tcp_ports accept
|
||||||
|
tcp dport @wan_tcp_ports accept
|
||||||
|
|
||||||
|
#
|
||||||
|
# Anything not matched above is dropped.
|
||||||
|
#
|
||||||
counter drop
|
counter drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
type filter hook forward priority 0;
|
type filter hook forward priority 0;
|
||||||
|
|
||||||
|
# By default, block forwarding. If you later do routing/NAT,
|
||||||
|
# you can add more specific rules here.
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority 0;
|
type filter hook output priority 0;
|
||||||
|
|
||||||
|
# Start with allow-all outbound.
|
||||||
|
# You can tighten this later if you want strict egress control.
|
||||||
accept
|
accept
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue