diff options
| author | xyz <gky44px1999@gmail.com> | 2022-01-30 14:44:07 -0800 |
|---|---|---|
| committer | xyz <gky44px1999@gmail.com> | 2022-01-30 14:44:07 -0800 |
| commit | 61dbbc512c7588f3491064ff001233bb9b73547a (patch) | |
| tree | 02f5807bf30d723650d0446c023b11e3f6f5aa28 /etc/nftables.conf | |
| parent | 86944034b471d1d7b78eb72c2e751d16146f1cd9 (diff) | |
nftables.conf, edited according to examples in arch wiki
Diffstat (limited to 'etc/nftables.conf')
| -rw-r--r-- | etc/nftables.conf | 48 |
1 files changed, 28 insertions, 20 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index fe835b30..6eaa41cb 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -1,27 +1,35 @@ #!/usr/bin/nft -f -# vim:set ts=2 sw=2 et: # IPv4/IPv6 Simple & Safe firewall ruleset. # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. -table inet filter -delete table inet filter -table inet filter { - chain input { - type filter hook input priority filter - policy drop +# some codes from https://wiki.archlinux.org/title/Nftables - ct state invalid drop comment "early drop of invalid connections" - ct state {established, related} accept comment "allow tracked connections" - iifname lo accept comment "allow from loopback" - ip protocol icmp accept comment "allow icmp" - meta l4proto ipv6-icmp accept comment "allow icmp v6" - tcp dport ssh accept comment "allow sshd" - pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited - counter - } - chain forward { - type filter hook forward priority filter - policy drop - } +table inet my_table { + + chain my_input { + type filter hook input priority filter + policy drop + + ct state invalid drop comment "early drop of invalid connections" + ct state {established, related} accept comment "allow tracked connections" + iifname lo accept comment "allow from loopback" + ip protocol icmp accept comment "allow icmp" + meta l4proto ipv6-icmp accept comment "allow icmp v6" + tcp dport ssh accept comment "allow sshd" + pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited + counter comment "count any other traffic" + } + + chain my_forward { + type filter hook forward priority filter + policy drop + # Drop everything forwarded to us. We do not forward. That is routers job. + } + + chain my_output { + type filter hook output priority filter + policy accept + # Accept every outbound connection + } } |