2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2024 by someone <someone@somenet.org>
12 # ct helper ftp-standard { type "ftp" protocol tcp; }
15 # type filter hook prerouting priority raw; policy accept;
17 # # accept any local traffic.
18 # iifname "lo" counter accept
20 # # accept all other traffic, by policy.
24 type filter hook prerouting priority -150; policy accept;
26 # accept any local traffic.
27 iifname "lo" counter accept
29 ###################################
30 # incoming, public facing traffic #
31 ###################################
32 # mark outside-initiated incoming connections.
33 ct state new meta mark set 2 ct mark set meta mark
35 # accept traffic originated from us.
36 ct state established,related counter accept
38 # accept neighbour discovery otherwise IPv6 connectivity breaks.
39 ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} counter accept
40 ip protocol icmp icmp type { echo-request} counter accept
42 # accept connections to these services.
43 tcp dport 2 ct state new counter accept
45 # switch to something better than ftp, ssh/sftp for example, but if you must, use the ftp conntrack helper.
46 # tcp dport 21 ct state new ct helper set "ftp-standard" counter accept
48 # count and accept any other traffic.
53 # type filter hook input priority 0; policy accept;
57 # type filter hook forward priority 0; policy accept;
61 # type filter hook output priority 0; policy accept;
66 type filter hook postrouting priority 150; policy accept;
68 oifname "lo" counter accept
70 ###################################
71 # outgoing, public facing traffic #
72 ###################################
73 # mark inside-initiated outgoing connections.
74 ct mark 0 meta mark set 1 ct mark set meta mark
76 # count and accept all traffic.
84 # type nat hook prerouting priority dstnat; policy accept;
85 # meta l4proto tcp ip daddr 127.0.0.1 tcp dport 80 counter redirect to :1080
86 # meta l4proto tcp ip daddr 127.0.0.1 tcp dport 443 counter redirect to :10443
89 # type nat hook postrouting priority 100; policy accept;
90 # oifname "eth0" counter masquerade fully-random,persistent