Created
December 3, 2020 17:35
-
-
Save sigio/e0d46e423308edb12c07c11bf63243f4 to your computer and use it in GitHub Desktop.
nftables firewall with fail2ban integration, beware: blocks outgoing traffic in current form
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/sbin/nft -f | |
# NFTables firewall with fail2ban integration | |
# Configure f2b with jail = nftables-multiport, and comment-out actionstart and actionstop in nftables-common.conf | |
flush ruleset | |
define TRUSTED4 = { | |
127.0.0.1, | |
127.0.0.0/8 | |
} | |
define TRUSTED6 = { | |
2001:DB8::/32 | |
} | |
table inet filter { | |
set f2b-sshd { | |
type ipv4_addr | |
} | |
set f2b-sshd6 { | |
type ipv6_addr | |
} | |
chain input { | |
type filter hook input priority 0; policy drop; | |
# established/related connections | |
ct state established,related accept | |
# loopback interface | |
iifname lo accept | |
# icmp | |
icmp type echo-request accept | |
# icmp | |
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit, | |
nd-router-advert,mld-listener-query,destination-unreachable, | |
packet-too-big,time-exceeded,parameter-problem} accept | |
# Wireguard | |
udp dport 51820 accept | |
# SSH from trusted | |
tcp dport { ssh } ip saddr $TRUSTED4 accept | |
tcp dport { ssh } ip6 saddr $TRUSTED6 accept | |
# Fail2ban | |
tcp dport { ssh } ip6 saddr @f2b-sshd6 reject | |
tcp dport { ssh } ip saddr @f2b-sshd reject | |
# open tcp ports | |
tcp dport {ssh, smtp, http} accept | |
# log | |
limit rate 10/minute log prefix "NF-IN:" level info | |
} | |
chain forward { | |
type filter hook forward priority 0; policy drop; | |
# established/related connections | |
ct state established,related accept | |
# invalid connections | |
ct state invalid drop | |
# loopback interface | |
iifname lo accept | |
# log | |
limit rate 10/minute log prefix "NF-FWD:" level info | |
} | |
chain output { | |
type filter hook output priority 0; policy accept; | |
# established/related connections | |
ct state established,related accept | |
# invalid connections | |
ct state invalid drop | |
# loopback interface | |
iifname lo accept | |
# icmp | |
icmp type echo-request accept | |
# IPv6 Essential icmp traffic | |
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit, | |
nd-router-advert,mld-listener-query,destination-unreachable, | |
packet-too-big,time-exceeded,parameter-problem} accept | |
# Common outgoing traffic | |
tcp dport {domain, ssh, http} accept | |
udp dport {domain} accept | |
# log | |
limit rate 10/minute log prefix "NF-OUT:" level info | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment