77 lines
1.7 KiB
Text
77 lines
1.7 KiB
Text
#! /usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
include "/etc/nftables/include.d/*.conf"
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
# connection tracking
|
|
ct state invalid drop
|
|
ct state established,related accept
|
|
|
|
# allow local packets
|
|
iifname lo accept
|
|
|
|
# respond to ping
|
|
icmp type echo-request accept
|
|
|
|
# reject ident
|
|
tcp dport ident reject
|
|
|
|
# minimal rules for ipv6
|
|
icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, nd-router-advert } accept
|
|
|
|
# Apply extra rules, if any
|
|
include "/etc/nftables/input.d/*.conf"
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy drop;
|
|
|
|
# connection tracking
|
|
ct state invalid drop
|
|
ct state established,related accept
|
|
|
|
# allow local packets
|
|
oifname lo accept;
|
|
|
|
# ICMP
|
|
ip protocol icmp accept
|
|
ip6 nexthdr icmpv6 accept
|
|
|
|
# Ident
|
|
tcp dport ident accept
|
|
|
|
# DNS
|
|
udp dport domain accept
|
|
tcp dport domain accept
|
|
|
|
# HTTP
|
|
tcp dport http accept
|
|
|
|
# HTTPS
|
|
tcp dport https accept
|
|
|
|
# NTP
|
|
udp dport ntp accept
|
|
|
|
# Apply extra rules, if any
|
|
include "/etc/nftables/output.d/*.conf"
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
|
|
# connection tracking
|
|
ct state invalid drop
|
|
ct state established,related accept
|
|
|
|
# Apply extra rules, if any
|
|
include "/etc/nftables/forward.d/*.conf"
|
|
}
|
|
}
|
|
|
|
# vim: ai:expandtab:ts=4:sw=4
|