aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server/files
diff options
context:
space:
mode:
Diffstat (limited to 'roles/space_server/files')
-rw-r--r--roles/space_server/files/nftables.conf13
1 files changed, 13 insertions, 0 deletions
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf
index adb1208..a0c17c1 100644
--- a/roles/space_server/files/nftables.conf
+++ b/roles/space_server/files/nftables.conf
@@ -74,6 +74,9 @@ table ip filter {
iif lo accept
+ # drop incoming spoofed packages
+ iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
+
# bird etc. on fiberby link
iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept
@@ -112,6 +115,9 @@ table ip filter {
ct state established,related accept
ct state invalid drop
+ # drop incoming spoofed packages
+ iif $ext_if ip saddr { 10.0.0.0/8, $ext_net4 } drop
+
# jumbotron webhook
ip daddr $jumbotron_ip4 tcp dport 17380 counter accept
@@ -148,6 +154,10 @@ table ip6 filter {
ip6 nexthdr ipv6-icmp drop
iif lo accept
+
+ # drop incoming spoofed packages
+ iif $ext_if ip6 saddr $ext_net6 drop
+
iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept
# bird etc. on fiberby link
@@ -177,6 +187,9 @@ table ip6 filter {
ct state established,related accept
ct state invalid drop
+ # drop incoming spoofed packages
+ iif $ext_if ip6 saddr $ext_net6 drop
+
# jumbotron webhook
ip6 daddr $jumbotron_ip6 tcp dport 17380 counter accept