redteamrover/nftables.conf

## nftables.conf
#!/usr/bin/nft -f
#
# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
#
# Begin by completely removing any previously established rules.
flush ruleset

table inet filter {
    chain input {
        type filter hook input priority filter

        # Drop all incoming packets by default.
        policy drop

        # Drop packets with invalid connections state headers
        # right away.
        ct state invalid drop comment "early drop of invalid connections"

        # Accept packets from pre-established and related
        # connections.
        ct state {established, related} accept comment "allow tracked connections"

        # Accept all traffic originating from the loopback
        # interface.
        iifname lo accept comment "allow from loopback"

        # Track new incoming connections for the services
        # provided by this web server.
        ct state new tcp dport { ssh, http, https } counter accept

        # Track new SSH connections.
        #tcp dport ssh ct state new counter accept comment "New SSH Connections"

        # Rate limit incoming ICMP packets.
        ip protocol icmp limit rate 2/second burst 2 packets counter accept comment "allow icmp"

        # Rate limit incoming IPv6-ICMP packets.
        meta l4proto ipv6-icmp limit rate 2/second burst 2 packets counter accept comment "allow icmp v6"

        # Don't respond with an error message, simply drop the incoming connection packets.
        # pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited

        # Keep track of the dropped packets.
        counter
    }

    chain forward {
        type filter hook forward priority filter

        # This server node is not a router, and should thus
        # not be forwarding any packets to any server ever.
        policy drop

        # Keep track of the number of forwarding requests
        # this server receives, just so we know what's going
        # on.
        counter
    }
}
	#!/usr/bin/nft -f
	#
	# IPv4/IPv6 Simple & Safe firewall ruleset.
	# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
	#
	# Begin by completely removing any previously established rules.
	flush ruleset

	table inet filter {
	chain input {
	type filter hook input priority filter

	# Drop all incoming packets by default.
	policy drop

	# Drop packets with invalid connections state headers
	# right away.
	ct state invalid drop comment "early drop of invalid connections"

	# Accept packets from pre-established and related
	# connections.
	ct state {established, related} accept comment "allow tracked connections"

	# Accept all traffic originating from the loopback
	# interface.
	iifname lo accept comment "allow from loopback"

	# Track new incoming connections for the services
	# provided by this web server.
	ct state new tcp dport { ssh, http, https } counter accept

	# Track new SSH connections.
	#tcp dport ssh ct state new counter accept comment "New SSH Connections"

	# Rate limit incoming ICMP packets.
	ip protocol icmp limit rate 2/second burst 2 packets counter accept comment "allow icmp"

	# Rate limit incoming IPv6-ICMP packets.
	meta l4proto ipv6-icmp limit rate 2/second burst 2 packets counter accept comment "allow icmp v6"

	# Don't respond with an error message, simply drop the incoming connection packets.
	# pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited

	# Keep track of the dropped packets.
	counter
	}

	chain forward {
	type filter hook forward priority filter

	# This server node is not a router, and should thus
	# not be forwarding any packets to any server ever.
	policy drop

	# Keep track of the number of forwarding requests
	# this server receives, just so we know what's going
	# on.
	counter
	}
	}