-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathnftables.conf
57 lines (46 loc) · 1.47 KB
/
nftables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/nft -f
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
table inet filter {
chain input {
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
#tcp dport ssh accept comment "allow sshd"
tcp dport { 22 } accept comment "allow input ports"
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter
}
chain forward {
type filter hook forward priority filter
policy drop
}
}
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter
policy drop
ct state invalid drop comment "drop invalid connections"
ct state {established,related} accept comment "accept established/related connections"
iifname lo accept comment "accept loopback"
# ssh
tcp dport 22 ct state new accept # change to your ssh port
# accept all icmp
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
# http(s)
tcp dport {http, https} accept
udp dport {http, https} accept
# uncomment to enable logging
#log prefix "[nftables] Input Denied: " flags all counter drop
}
chain forward {
# drop everything (if not a router)
type filter hook forward priority 0; policy drop;
# uncomment to enable logging
#log prefix "[nftables] Forward Denied: " flags all counter drop
}
chain output {
type filter hook output priority 0; policy accept;
}
}