Last active
June 15, 2023 07:23
-
-
Save kravietz/e527895020da22cb20281d5fdee0b1da to your computer and use it in GitHub Desktop.
Simple workstation nftables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/sbin/nft -f | |
| flush ruleset | |
| table inet filter { | |
| chain input { | |
| type filter hook input priority 0; policy drop | |
| iifname lo accept | |
| ct state established,related accept | |
| # allow any incoming ICMP and ICMPv6 | |
| ip protocol icmp accept | |
| ip6 nexthdr ipv6-icmp accept | |
| # allow DHCPv6 | |
| udp dport 546 udp sport 547 accept | |
| # allow incoming broadcast and multicast (e.g. NTP) | |
| pkttype { broadcast,multicast} accept | |
| log | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; policy drop | |
| log | |
| } | |
| chain output { | |
| type filter hook output priority 0; policy accept | |
| # not sure if this is required but let's track all outgoing connections | |
| ct state new accept | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment