diff options
Diffstat (limited to 'nftables.conf')
-rw-r--r-- | nftables.conf | 49 |
1 files changed, 19 insertions, 30 deletions
diff --git a/nftables.conf b/nftables.conf index 2d306375809c..fe835b303914 100644 --- a/nftables.conf +++ b/nftables.conf @@ -1,38 +1,27 @@ #!/usr/bin/nft -f -# ipv4/ipv6 Simple & Safe Firewall -# you can find examples in /usr/share/nftables/ +# vim:set ts=2 sw=2 et: + +# IPv4/IPv6 Simple & Safe firewall ruleset. +# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. +table inet filter +delete table inet filter table inet filter { chain input { - type filter hook input priority 0; - - # allow established/related connections - ct state {established, related} accept - - # early drop of invalid connections - ct state invalid drop - - # allow from loopback - iifname lo accept - - # allow icmp - ip protocol icmp accept - ip6 nexthdr icmpv6 accept - - # allow ssh - tcp dport ssh accept - - # everything else - reject with icmpx type port-unreachable + type filter hook input priority filter + policy drop + + ct state invalid drop comment "early drop of invalid connections" + ct state {established, related} accept comment "allow tracked connections" + iifname lo accept comment "allow from loopback" + ip protocol icmp accept comment "allow icmp" + meta l4proto ipv6-icmp accept comment "allow icmp v6" + tcp dport ssh accept comment "allow sshd" + pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited + counter } chain forward { - type filter hook forward priority 0; - drop - } - chain output { - type filter hook output priority 0; + type filter hook forward priority filter + policy drop } - } - -# vim:set ts=2 sw=2 et: |