Last active
May 30, 2022 14:34
-
-
Save KalleDK/6b4728d2649e848ba35ba65293d0195b to your computer and use it in GitHub Desktop.
Ferm + IPv6 + Docker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- shell-script -*- | |
# | |
# Configuration file for ferm(1). | |
# | |
domain (ip) { | |
table nat chain (POSTROUTING PREROUTING OUTPUT INPUT DOCKER) @preserve; | |
table filter chain (FORWARD DOCKER DOCKER-ISOLATION-STAGE-1 DOCKER-ISOLATION-STAGE-2) @preserve; | |
} | |
domain(ip ip6) { | |
table filter { | |
chain DOCK-FORWARD { | |
# connection tracking | |
mod state state INVALID DROP; | |
mod state state (ESTABLISHED RELATED) ACCEPT; | |
proto tcp dport 80 ACCEPT; | |
} | |
chain OUTPUT policy ACCEPT; | |
# Rules to protect the host | |
chain INPUT { | |
policy DROP; | |
# connection tracking | |
mod state state INVALID DROP; | |
mod state state (ESTABLISHED RELATED) ACCEPT; | |
# allow local packet | |
interface lo ACCEPT; | |
# allow icmp requests only | |
proto icmpv6 ACCEPT; | |
proto icmp { | |
icmp-type echo-request ACCEPT; | |
DROP; | |
} | |
# allow SSH connections | |
proto tcp dport ssh ACCEPT; | |
# the rest is dropped by the above policy | |
} | |
} | |
} | |
domain (ip) { | |
table filter { | |
chain DOCKER-USER { | |
# jump to the chain that protects docker | |
jump DOCK-FORWARD; | |
# drop if we end up here (cant be a policy) | |
DROP; | |
} | |
} | |
} | |
domain (ip6) { | |
table filter { | |
chain FORWARD { | |
policy DROP; | |
# respond to icmp | |
proto ipv6-icmp ACCEPT; | |
# allow outgoing traffic | |
interface docker0 ACCEPT; | |
# jump to the chain that protects docker | |
jump DOCK-FORWARD; | |
} | |
} | |
} | |
@include ferm.d/; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment