diff options
| -rw-r--r-- | etc/nftables.conf | 48 | 
1 files changed, 28 insertions, 20 deletions
| diff --git a/etc/nftables.conf b/etc/nftables.conf index fe835b30..6eaa41cb 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -1,27 +1,35 @@  #!/usr/bin/nft -f -# vim:set ts=2 sw=2 et:  # IPv4/IPv6 Simple & Safe firewall ruleset.  # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. -table inet filter -delete table inet filter -table inet filter { -  chain input { -    type filter hook input priority filter -    policy drop +# some codes from https://wiki.archlinux.org/title/Nftables -    ct state invalid drop comment "early drop of invalid connections" -    ct state {established, related} accept comment "allow tracked connections" -    iifname lo accept comment "allow from loopback" -    ip protocol icmp accept comment "allow icmp" -    meta l4proto ipv6-icmp accept comment "allow icmp v6" -    tcp dport ssh accept comment "allow sshd" -    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited -    counter -  } -  chain forward { -    type filter hook forward priority filter -    policy drop -  } +table inet my_table { + +	chain my_input { +		type filter hook input priority filter +		policy drop + +		ct state invalid drop comment "early drop of invalid connections" +		ct state {established, related} accept comment "allow tracked connections" +		iifname lo accept comment "allow from loopback" +		ip protocol icmp accept comment "allow icmp" +		meta l4proto ipv6-icmp accept comment "allow icmp v6" +		tcp dport ssh accept comment "allow sshd" +		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited +		counter comment "count any other traffic" +	} + +	chain my_forward { +		type filter hook forward priority filter +		policy drop +		# Drop everything forwarded to us. We do not forward. That is routers job. +	} + +	chain my_output { +		type filter hook output priority filter +		policy accept +		# Accept every outbound connection +	}  } | 
