add nftables.conf original

author: xyz <gky44px1999@gmail.com> 2022-01-30 14:43:01 -0800
committer: xyz <gky44px1999@gmail.com> 2022-01-30 14:43:01 -0800
commit: 2ea91aafb274eb2c9fc5e05567ede592f3fd12c8 (patch)
tree: 3ac217cb04429e8c2935a2ca5bf39f78f90616a2 /etc/nftables.conf
parent: 6cc232741e0d64425a3eddbd7b816337f60d5f5a (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf
new file mode 100644
index 00000000..fe835b30
--- /dev/null
+++ b/etc/nftables.conf
@@ -0,0 +1,27 @@
+#!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+
+# IPv4/IPv6 Simple & Safe firewall ruleset.
+# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
+
+table inet filter
+delete table inet filter
+table inet filter {
+  chain input {
+    type filter hook input priority filter
+    policy drop
+
+    ct state invalid drop comment "early drop of invalid connections"
+    ct state {established, related} accept comment "allow tracked connections"
+    iifname lo accept comment "allow from loopback"
+    ip protocol icmp accept comment "allow icmp"
+    meta l4proto ipv6-icmp accept comment "allow icmp v6"
+    tcp dport ssh accept comment "allow sshd"
+    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
+    counter
+  }
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+  }
+}
author	xyz <gky44px1999@gmail.com>	2022-01-30 14:43:01 -0800
committer	xyz <gky44px1999@gmail.com>	2022-01-30 14:43:01 -0800
commit	2ea91aafb274eb2c9fc5e05567ede592f3fd12c8 (patch)
tree	3ac217cb04429e8c2935a2ca5bf39f78f90616a2 /etc/nftables.conf
parent	6cc232741e0d64425a3eddbd7b816337f60d5f5a (diff)