Created
May 19, 2024 14:37
-
-
Save cyrex562/44b739ef841a8146153233d659db180b to your computer and use it in GitHub Desktop.
nftables example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/sbin/nft -f | |
| flush ruleset | |
| table inet filter { | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| ct state invalid counter drop comment "early drop of invalid packets" | |
| ct state {established,related} counter accept comment "accept all connections related to our sessio> | |
| iifname "tailscale0" accept | |
| iifname "wg0" accept | |
| iifname "ens3" drop | |
| iifname "lo" accept comment "loopback" | |
| ip protocol icmp counter accept comment "accept all ICMP types" | |
| meta l4proto ipv6-icmp counter accept comment "accept ICMP-v6" | |
| tcp dport 22 counter accept comment "accept SSH" | |
| tcp dport 51820 counter accept comment "wireguard TCP" | |
| udp dport 51820 counter accept comment "wireguard UDP" | |
| counter comment "count dropped packets" | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; policy accept; | |
| counter comment "count accepted forwarded packets" | |
| } | |
| chain output { | |
| type filter hook output priority 0; policy accept; | |
| counter comment "count accepted output packets" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment