blob: 9f5781cc07a7b6ff53e4e22fa3686b18bf6ee990 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
#!/usr/bin/nft -f
# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
# some codes from https://wiki.archlinux.org/title/Nftables
# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
flush ruleset
table inet my_table {
chain my_input {
type filter hook input priority filter
policy drop
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iifname lo accept comment "allow from loopback"
ip protocol icmp accept
meta l4proto ipv6-icmp accept
#tcp dport ssh accept
#tcp dport qbt-nox accept
#tcp dport searx accept
tcp dport qrcp accept
udp dport mdns accept
tcp dport qbt accept
udp dport qbt accept
tcp dport monerod-p2p accept
#tcp dport iperf3 accept
#udp dport wireguard accept
# insp to ia udp2raw wireguard
ip saddr 89.213.174.92 tcp sport 60711 drop
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter comment "count any other traffic"
}
chain my_forward {
type filter hook forward priority filter
policy drop
# Drop everything forwarded to us. We do not forward. That is routers job.
# next two lines are needed for phantun
#iifname pt0 accept
#oifname pt0 accept
}
chain my_output {
type filter hook output priority filter
policy accept
# Accept every outbound connection
}
}
#table inet nat {
# # needed for phantun https://github.com/dndx/phantun
# # note here is postrouting not prerouting, server side phantun config is prerouting instead
# chain postrouting {
# type nat hook postrouting priority srcnat
# policy accept
# iifname pt0 oif enp3s0 masquerade
# iifname pt0 oif wlp2s0 masquerade
# }
#}
|
