blob: 22e38dfea93bb3526a87f18076931864c96d650c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
#!/usr/bin/nft -f
# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
# some codes from https://wiki.archlinux.org/title/Nftables
# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
flush ruleset
table inet my_table {
chain my_input {
type filter hook input priority filter
policy drop
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iifname lo accept comment "allow from loopback"
ip protocol icmp accept
meta l4proto ipv6-icmp accept
tcp dport ssh accept
#tcp dport qbt-nox accept
#tcp dport qbt accept
#udp dport qbt accept
#tcp dport iperf3 accept
#udp dport wireguard accept
# for acme.sh standalone mode builtin webserver to renew ssl cert
tcp dport http accept
# email related ports
tcp dport smtp accept
tcp dport pop3 accept
tcp dport imap accept
tcp dport submissions accept
tcp dport submission accept
tcp dport imaps accept
tcp dport pop3s accept
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter comment "count any other traffic"
}
chain my_forward {
type filter hook forward priority filter
policy drop
# Drop everything forwarded to us. We do not forward. That is routers job.
}
chain my_output {
type filter hook output priority filter
policy accept
# Accept every outbound connection
}
}
|
