@@ -5,7 +5,9 @@ flush ruleset
55table inet filter {
66 chain input {
77 type filter hook input priority 0; policy drop;
8- ct state invalid drop comment "early drop of invalid packets"
8+ ct state invalid counter drop comment "early drop of invalid packets"
9+
10+ # https://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html
911 iif lo accept comment "accept loopback"
1012 iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
1113 iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
@@ -15,7 +17,7 @@ table inet filter {
1517 ip protocol icmp icmp type echo-request counter drop
1618
1719 # Accept already established/related connections
18- ct state {established, related} accept comment "accept all connections related to connections made by us"
20+ ct state {established, related} counter accept comment "accept all connections related to connections made by us"
1921
2022 # Accept ICMP (ipv4 only)
2123 ip protocol icmp counter accept comment "allow ICMPv4 packets"
@@ -24,6 +26,7 @@ table inet filter {
2426 udp sport 67 udp dport 68 counter accept comment "allow DHCP traffic over UDP"
2527
2628 # libvirt related config
29+ iifname "virbr*" tcp dport 53 counter accept comment "allow VMs to reach the host's DNS server (dnsmasq)"
2730 iifname "virbr*" udp dport 53 counter accept comment "allow VMs to reach the host's DNS server (dnsmasq)"
2831 iifname "virbr*" udp dport 67 counter accept comment "allow VMs to reach the host's DHCP server (dnsmasq)"
2932
0 commit comments