At the end just a version of my host-firewallscript for dealing with lxd-containers. help yourself:
-------- snip ---------------
#!/sbin/nft -f
flush ruleset
define net_lxd = 10.124.175.0/24
define nic_lxd = pippi0
define haproxy = 10.124.175.54
define red = ens3
include “./fail2ban.conf”
table netdev filter {
include “./blacklist.nft”
chain loinput {
type filter hook ingress device lo priority 0; policy accept; }
chain layer2 {
type filter hook ingress device ens3 priority -400;
udp dport { 5678, 67, 137, 138, 445 } counter drop
tcp dport { 5678, 67, 137, 138, 445, 79 } counter drop
tcp dport ssh limit rate over 10/minute counter drop
tcp dport telnet limit rate over 10/minute counter drop
tcp dport ftp limit rate over 10/minute counter drop
ip saddr @blacklist counter drop
}
}
chain output {
type filter hook output priority 0;
ct state established accept
ct state related accept
oif lo accept
ct state new counter accept
oifname $nic_lxd tcp sport 53 accept
oifname $nic_lxd udp sport 53 accept
oifname $nic_lxd udp sport 67 accept
oifname $nic_lxd udp sport 68 accept
counter comment "count accepted packets"
}
chain forward {
type filter hook forward priority 0;
iifname $nic_lxd accept
oifname $nic_lxd accept
counter comment "count dropped packets"
}
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter log prefix "INVALID " drop comment "drop invalid packets"
ct state {established, related} accept
iifname lo accept comment "accept loopback"
ip protocol icmp accept comment "accept all icmp types"
iifname $nic_lxd tcp dport 53 accept
iifname $nic_lxd udp dport 53 accept
iifname $nic_lxd udp dport 67 accept
tcp dport 21 log prefix "--- FTP ---" counter drop
tcp dport 22 log prefix "--- SSH ---" counter drop
tcp dport 23 log prefix "--- TELNET ---" counter drop
counter log prefix "LAST INPUT " comment "count dropped packets"
}
}
table ip mangle {
chain prerouting {
type filter hook prerouting priority 0; policy accept;
counter comment “count accepted packets”
}
chain input {
type filter hook input priority 0; policy accept;
counter comment "count accepted packets"
}
chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
chain postrouting {
type filter hook postrouting priority 0; policy accept
oifname $nic_lxd udp dport bootpc ip checksum 68 accept
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
iif “ens3” tcp dport { 80, 443 } dnat to 10.179.125.54
counter comment “count accepted packets”
}
chain input {
type nat hook input priority 0; policy accept;
counter comment "count accepted packets"
}
chain output {
type nat hook output priority 0; policy accept;
counter comment "count accepted packets"
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
ip saddr $net_lxd ip daddr != $net_lxd masquerade
counter comment "count accepted packets"
}
}
hope it helps anyone.