Skip to content

Instantly share code, notes, and snippets.

@KalleDK

KalleDK/ferm.conf

Last active May 30, 2022 14:34
Show Gist options
  • Save KalleDK/6b4728d2649e848ba35ba65293d0195b to your computer and use it in GitHub Desktop.
Save KalleDK/6b4728d2649e848ba35ba65293d0195b to your computer and use it in GitHub Desktop.
Download ZIP
Ferm + IPv6 + Docker
Raw
ferm.conf
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
domain (ip) {
table nat chain (POSTROUTING PREROUTING OUTPUT INPUT DOCKER) @preserve;
table filter chain (FORWARD DOCKER DOCKER-ISOLATION-STAGE-1 DOCKER-ISOLATION-STAGE-2) @preserve;
}
domain(ip ip6) {
table filter {
chain DOCK-FORWARD {
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
proto tcp dport 80 ACCEPT;
}
chain OUTPUT policy ACCEPT;
# Rules to protect the host
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# allow icmp requests only
proto icmpv6 ACCEPT;
proto icmp {
icmp-type echo-request ACCEPT;
DROP;
}
# allow SSH connections
proto tcp dport ssh ACCEPT;
# the rest is dropped by the above policy
}
}
}
domain (ip) {
table filter {
chain DOCKER-USER {
# jump to the chain that protects docker
jump DOCK-FORWARD;
# drop if we end up here (cant be a policy)
DROP;
}
}
}
domain (ip6) {
table filter {
chain FORWARD {
policy DROP;
# respond to icmp
proto ipv6-icmp ACCEPT;
# allow outgoing traffic
interface docker0 ACCEPT;
# jump to the chain that protects docker
jump DOCK-FORWARD;
}
}
}
@include ferm.d/;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment