antoine/visio_nrd
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-05-25. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
5edcb56305d57b7f2cb6b23e041d836c038f9de2
visio_nrd/roles/jitsi-install/files/nftables.conf
T
Antoine Ouvrard 5edcb56305 fusion des role jitsi-install et jitsi-pre-install
2021-05-04 15:08:47 +02:00

36 lines
1.5 KiB
Plaintext
Raw Blame History

#!/usr/sbin/nftables -f
flush ruleset
# family `inet` c'est pour ipv4/ipv6
table inet myfilter {
chain myglobal {
# par défaut on accepte tous les paquets entrant
type filter hook input priority 0; policy accept;
# accepte les ping (mais pas plus de 1 par seconde)
ip protocol icmp icmp type { echo-request, echo-reply } limit rate 1/second accept
ip protocol icmp icmp type { echo-request, echo-reply } drop
ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } limit rate 1/second accept
ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } drop
# on accepte tout le reste du traffic icmp
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# accepte le traffic qui vient de nous
ct state established,related accept
ct state invalid drop
# accepte le traffic localhost
iif lo accept
# accepte tout le traffic ssh peut importe l'origine
tcp dport 22 accept
# accepte le traffic tcp depuis le reste du monde si la cible est un des ports http, https, smtp
tcp dport {80, 443} accept
# ouvre les port udp I/O 10000 et 44446 pour jitsi
udp dport {10000, 4446} accept
udp sport {10000, 4446} accept
# count and drop any other traffic
counter drop
}
}
Reference in New Issue View Git Blame Copy Permalink