Skip to content

Instantly share code, notes, and snippets.

@popsUlfr
Last active May 20, 2022 09:12
Show Gist options
  • Save popsUlfr/77080b15d6d22f5f2a86b66176ae764f to your computer and use it in GitHub Desktop.
Save popsUlfr/77080b15d6d22f5f2a86b66176ae764f to your computer and use it in GitHub Desktop.
nftables
#!/usr/bin/nft -f
flush ruleset
define int_docker_mark = 0x3b3 # 947
define int_cni_mark = 0x3b4 # 948
define int_phone_macs = {
A8:A0:91:51:40:79 # Pixel Wifi
}
table inet my_filter {
chain input {
type filter hook input priority filter + 10; policy drop;
ct state { established, related } counter accept
ct state invalid counter drop
iifname "lo" accept
meta l4proto { icmp, igmp, ipv6-icmp } counter accept
ct state new jump input_main
counter reject
}
chain input_main {
ip saddr 192.168.0.0/24 tcp dport 22 counter accept comment "SSH"
ether saddr $int_phone_macs counter accept comment "Phones"
}
chain forward {
type filter hook forward priority filter + 10; policy drop;
ct state { established, related } counter accept
meta mark $int_docker_mark accept comment "docker"
meta mark $int_cni_mark accept comment "CNI"
}
chain output {
type filter hook output priority filter + 10; policy accept;
counter
}
}
# iptables-nft compatibility
table ip filter {
chain DOCKER-USER {
meta mark set $int_docker_mark comment "docker"
}
chain CNI-ADMIN {
meta mark set $int_cni_mark comment "CNI"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment