From 61dbbc512c7588f3491064ff001233bb9b73547a Mon Sep 17 00:00:00 2001
From: xyz <gky44px1999@gmail.com>
Date: Sun, 30 Jan 2022 14:44:07 -0800
Subject: nftables.conf, edited according to examples in arch wiki

---
 etc/nftables.conf | 48 ++++++++++++++++++++++++++++--------------------
 1 file changed, 28 insertions(+), 20 deletions(-)

(limited to 'etc/nftables.conf')

diff --git a/etc/nftables.conf b/etc/nftables.conf
index fe835b30..6eaa41cb 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -1,27 +1,35 @@
 #!/usr/bin/nft -f
-# vim:set ts=2 sw=2 et:
 
 # IPv4/IPv6 Simple & Safe firewall ruleset.
 # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
 
-table inet filter
-delete table inet filter
-table inet filter {
-  chain input {
-    type filter hook input priority filter
-    policy drop
+# some codes from https://wiki.archlinux.org/title/Nftables
 
-    ct state invalid drop comment "early drop of invalid connections"
-    ct state {established, related} accept comment "allow tracked connections"
-    iifname lo accept comment "allow from loopback"
-    ip protocol icmp accept comment "allow icmp"
-    meta l4proto ipv6-icmp accept comment "allow icmp v6"
-    tcp dport ssh accept comment "allow sshd"
-    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
-    counter
-  }
-  chain forward {
-    type filter hook forward priority filter
-    policy drop
-  }
+table inet my_table {
+
+	chain my_input {
+		type filter hook input priority filter
+		policy drop
+
+		ct state invalid drop comment "early drop of invalid connections"
+		ct state {established, related} accept comment "allow tracked connections"
+		iifname lo accept comment "allow from loopback"
+		ip protocol icmp accept comment "allow icmp"
+		meta l4proto ipv6-icmp accept comment "allow icmp v6"
+		tcp dport ssh accept comment "allow sshd"
+		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
+		counter comment "count any other traffic"
+	}
+
+	chain my_forward {
+		type filter hook forward priority filter
+		policy drop
+		# Drop everything forwarded to us. We do not forward. That is routers job.
+	}
+
+	chain my_output {
+		type filter hook output priority filter
+		policy accept
+		# Accept every outbound connection
+	}
 }
-- 
cgit v1.2.3-70-g09d2