Skip to content


Kubewall is a simple daemon which watches a given nftables rules file and applies the rules to the host network when the file changes. It is deployed as a DaemonSet to ensure that traffic coming in over the WAN interface is limited only to explicitly allowed addresses and ports.

Below is the current live ruleset:

#!/usr/bin/nft -f
flush ruleset

define lb_dns =
define lb_http =
define lb_ws_forward =
define lb_shh =
define lb_git =

table inet filter {
  chain wan-tcp {
    ip daddr $lb_dns tcp dport domain accept
    ip daddr $lb_http tcp dport { http, https, 8443 } accept
    ip daddr $lb_ws_forward tcp dport 49152-65535 accept
    ip daddr $lb_shh tcp dport ssh accept
    ip daddr $lb_git tcp dport { ssh, http, https } accept
  chain wan-udp {
    ip daddr $lb_dns udp dport domain accept

  chain wan {
    ip protocol icmp icmp type {
    } accept

    ip protocol tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump wan-tcp
    ip protocol udp ct state new jump wan-udp


  chain input {
    type filter hook input priority 0; policy accept;

    ct state established,related accept
    ct state invalid drop

    iifname wan jump wan

# vim:set ts=2 sw=2 et:

Last update: 2021-08-12