self-hosting/roles/setup_nftables/files/nftables.conf

#! /usr/sbin/nft -f

flush ruleset

include "/etc/nftables/include.d/*.conf"

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # connection tracking
        ct state invalid drop
        ct state established,related accept

        # allow local packets
        iifname lo accept

        # respond to ping
        icmp type echo-request accept

        # reject ident
        tcp dport ident reject

        # minimal rules for ipv6
        icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-advert } accept

        # Apply extra rules, if any
        include "/etc/nftables/input.d/*.conf"
    }

    chain output {
        type filter hook output priority 0; policy drop;

        # connection tracking
        ct state invalid drop
        ct state established,related accept

        # allow local packets
        oifname lo accept;

        # ICMP
        ip protocol icmp accept
        ip6 nexthdr icmpv6 accept

        # Ident
        tcp dport ident accept

        # DNS
        udp dport domain accept
        tcp dport domain accept

        # HTTP
        tcp dport http accept

        # HTTPS
        tcp dport https accept

        # NTP
        udp dport ntp accept

        # Apply extra rules, if any
        include "/etc/nftables/output.d/*.conf"
    }

    chain forward {
        type filter hook forward priority 0; policy drop;

        # connection tracking
        ct state invalid drop
        ct state established,related accept

        # Apply extra rules, if any
        include "/etc/nftables/forward.d/*.conf"
    }
}

# vim: ai:expandtab:ts=4:sw=4
Write role nftables from ee 2022-03-13 12:46:07 +01:00			`#! /usr/sbin/nft -f`

			`flush ruleset`

			`include "/etc/nftables/include.d/*.conf"`

			`table inet filter {`
			`chain input {`
			`type filter hook input priority 0; policy drop;`

			`# connection tracking`
			`ct state invalid drop`
			`ct state established,related accept`

			`# allow local packets`
			`iifname lo accept`

			`# respond to ping`
			`icmp type echo-request accept`

			`# reject ident`
			`tcp dport ident reject`

			`# minimal rules for ipv6`
			`icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-advert } accept`

			`# Apply extra rules, if any`
			`include "/etc/nftables/input.d/*.conf"`
			`}`

			`chain output {`
			`type filter hook output priority 0; policy drop;`

			`# connection tracking`
			`ct state invalid drop`
			`ct state established,related accept`

			`# allow local packets`
			`oifname lo accept;`

			`# ICMP`
			`ip protocol icmp accept`
			`ip6 nexthdr icmpv6 accept`

			`# Ident`
			`tcp dport ident accept`

			`# DNS`
			`udp dport domain accept`
			`tcp dport domain accept`

			`# HTTP`
			`tcp dport http accept`

			`# HTTPS`
			`tcp dport https accept`

			`# NTP`
			`udp dport ntp accept`

			`# Apply extra rules, if any`
			`include "/etc/nftables/output.d/*.conf"`
			`}`

			`chain forward {`
			`type filter hook forward priority 0; policy drop;`

			`# connection tracking`
			`ct state invalid drop`
			`ct state established,related accept`

			`# Apply extra rules, if any`
			`include "/etc/nftables/forward.d/*.conf"`
			`}`
			`}`

			`# vim: ai:expandtab:ts=4:sw=4`