Created
May 20, 2022 17:50
-
-
Save prehensilecode/bc737e6ec87fc807201474b749c0c941 to your computer and use it in GitHub Desktop.
Basic nftables config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/nft -f | |
| ### localhost | |
| define LOCALHOST = { 127.0.0.1 } | |
| define LOCALHOST6 = { ::1 } | |
| table inet filter { | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| ct state invalid counter drop comment "early drop of invalid packets" | |
| ip protocol 47 counter drop comment "drop all GRE packets" | |
| ct state {established, related} accept comment "accept all connections related to connections made by us" | |
| iif lo accept comment "accept loopback" | |
| iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback" | |
| iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback" | |
| ip saddr != $LOCALHOST tcp dport 25 drop comment "drop all SMTP" | |
| ip6 saddr != $LOCALHOST6 tcp dport 25 drop comment "drop all SMTP" | |
| ip protocol icmp counter accept comment "accept all ICMP types" | |
| ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types" | |
| counter comment "count dropped packets" | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; policy accept; | |
| } | |
| chain output { | |
| type filter hook output priority 0; policy accept; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment