File: //etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
## inbound whitelists on public interface are necessary largely to handle Machine->Rsync calls
## (our current implementation uses rsync in daemon mode listening on a random high port, on the public interface)
define wl_dh = {
127.0.0.1,
66.33.192.0/19,
205.196.208.0/20,
64.111.96.0/19,
67.205.0.0/18,
75.119.192.0/19,
69.163.128.0/17,
208.113.160.0/19,
208.113.192.0/19,
208.97.128.0/18,
208.113.128.0/19,
173.236.128.0/17,
64.90.32.0/19,
107.180.224.0/19,
}
# Whitelist data EKS
define wl_dh_eks = {
44.193.25.197,
34.237.222.172,
18.207.133.154,
3.238.179.3,
18.207.130.237,
3.235.250.83,
34.206.152.150,
3.239.113.214,
107.20.105.74,
54.212.104.5,
54.213.192.116,
35.165.188.89,
44.229.156.44,
44.238.188.181,
}
# Reserved internal whitelisting
set dh_internal {
type ipv4_addr
flags interval
auto-merge
elements = {
$wl_dh,
$wl_dh_eks,
}
}
set dh_metrics_ips {
type ipv4_addr
flags interval
elements = {
10.0.0.0/8,
66.33.200.0/25,
66.33.205.224/27,
64.90.62.192/27,
64.90.62.224/27
}
}
chain dh_metrics {
ip saddr @dh_metrics_ips counter accept
tcp dport 9100 counter drop
tcp dport 9633 counter drop
tcp dport 9598 counter drop
}
set dh_nrpe_ips {
type ipv4_addr
elements = { 66.33.200.4,208.113.156.25,10.5.23.122, }
}
chain dh_nrpe {
ip saddr @dh_nrpe_ips counter accept
tcp dport 5666 counter drop
}
# Intended actionable sets below
set dh_ban_in4 {
type ipv4_addr
flags interval
auto-merge
}
set dh_ban_in6 {
type ipv6_addr
flags interval
auto-merge
}
set dh_ban_out4 {
type ipv4_addr
flags interval
auto-merge
}
set dh_ban_out6 {
type ipv6_addr
flags interval
auto-merge
}
set dh_wl_in4 {
type ipv4_addr
flags interval
auto-merge
}
set dh_wl_out4 {
type ipv4_addr
flags interval
auto-merge
}
chain dh-explicit-drop {
tcp dport 25 counter drop
tcp dport 111 counter drop
tcp dport 1030 counter drop
udp dport 25 counter drop
udp dport 111 counter drop
udp dport 1030 counter drop
ip protocol tcp tcp option maxseg size 1-500 counter drop
}
chain input {
type filter hook input priority 0;
policy accept;
ct state vmap { invalid : drop, established : accept, related : accept }
jump dh_nrpe
jump dh_metrics
iifname eth1 ip saddr @dh_internal counter accept
iifname eth1 ip saddr @dh_wl_in4 counter accept
iifname eth1 ip saddr @dh_ban_in4 counter drop
iifname eth1 ip6 saddr @dh_ban_in6 counter drop
# delegate to sub‑chains
iifname eth1 counter jump dh-explicit-drop
}
chain output {
type filter hook output priority 0;
policy accept;
oifname eth1 ip daddr @dh_internal counter accept
oifname eth1 ip daddr @dh_wl_out4 counter accept
oifname eth1 ip daddr @dh_ban_out4 counter drop
oifname eth1 ip6 daddr @dh_ban_out6 counter drop
}
}