diff options
| author | Arun Isaac | 2025-09-24 11:31:29 +0100 |
|---|---|---|
| committer | Arun Isaac | 2025-09-24 12:14:58 +0100 |
| commit | 27cf08e40e7d57e74878c58aab5f4427c8078817 (patch) | |
| tree | 3a8917d26944b441fffcc089dc67e1cfdc65cd5f | |
| parent | 0789ed7b30807095c87400b6faec173143eba802 (diff) | |
| download | machines-27cf08e40e7d57e74878c58aab5f4427c8078817.tar.gz machines-27cf08e40e7d57e74878c58aab5f4427c8078817.tar.lz machines-27cf08e40e7d57e74878c58aab5f4427c8078817.zip | |
steel: Add nftables firewall.
| -rw-r--r-- | steel-nftables.conf | 12 | ||||
| -rw-r--r-- | steel.scm | 3 |
2 files changed, 15 insertions, 0 deletions
diff --git a/steel-nftables.conf b/steel-nftables.conf new file mode 100644 index 0000000..e5d379c --- /dev/null +++ b/steel-nftables.conf @@ -0,0 +1,12 @@ +table ip filter { + chain input { + # Drop all traffic by default. + type filter hook input priority 0; policy drop; + # Allow traffic from established connections. + ct state vmap { established: accept, related: accept, invalid: drop } + # Allow loopback traffic. + iifname lo accept + # Allow 8080 for occasional darkhttpd use. + tcp dport 8080 accept + } +} \ No newline at end of file diff --git a/steel.scm b/steel.scm index c37512c..601ee27 100644 --- a/steel.scm +++ b/steel.scm @@ -89,6 +89,9 @@ (program (file-append slock "/bin/slock")))) (service alsa-service-type) (service dhcpcd-service-type) + (service nftables-service-type + (nftables-configuration + (ruleset (local-file "steel-nftables.conf")))) (service dicod-service-type) (service ntp-service-type) (service pulseaudio-service-type) |