diff options
| -rw-r--r-- | etc/nftables.conf | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf new file mode 100644 index 00000000..fe835b30 --- /dev/null +++ b/etc/nftables.conf @@ -0,0 +1,27 @@ +#!/usr/bin/nft -f +# vim:set ts=2 sw=2 et: + +# IPv4/IPv6 Simple & Safe firewall ruleset. +# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. + +table inet filter +delete table inet filter +table inet filter { + chain input { + type filter hook input priority filter + policy drop + + ct state invalid drop comment "early drop of invalid connections" + ct state {established, related} accept comment "allow tracked connections" + iifname lo accept comment "allow from loopback" + ip protocol icmp accept comment "allow icmp" + meta l4proto ipv6-icmp accept comment "allow icmp v6" + tcp dport ssh accept comment "allow sshd" + pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited + counter + } + chain forward { + type filter hook forward priority filter + policy drop + } +} |