Skip to content

Instantly share code, notes, and snippets.

@sitle

sitle/nftables.conf

Last active March 7, 2022 20:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sitle/1a7a59b3d50bd8639393c3b9a371376c to your computer and use it in GitHub Desktop.
Save sitle/1a7a59b3d50bd8639393c3b9a371376c to your computer and use it in GitHub Desktop.
Download ZIP
Minimal firewall
Raw
nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# allow from loopback
iifname lo accept;
# established/related connections
ct state established,related accept;
# invalid connections
ct state invalid drop;
# ping
icmp type echo-request accept;
# ssh
tcp dport ssh ip saddr 192.168.1.11 accept;
tcp dport ssh ip saddr 10.10.0.10 accept;
# http/https
tcp dport {http,https} ip saddr 10.10.2.1 accept;
tcp dport {http,https} ip saddr 10.10.0.10 accept;
counter tcp dport {http,https} accept;
tcp dport {http,https} reject with tcp reset;
# reject with unreachable for all port
tcp dport {1-1023} reject with icmp type port-unreachable;
# default policy
policy drop;
}
chain forward {
type filter hook forward priority 0;
# default policy
policy drop;
}
chain output {
type filter hook output priority 0;
# allow from loopback
oifname lo accept;
# established/related connections
ct state established,related accept;
# invalid connections
ct state invalid drop;
# ping
icmp type echo-request accept;
# default policy
udp dport 53 ip daddr 192.168.1.100 accept;
udp dport 53 ip daddr 10.8.0.132 accept;
tcp dport 5432 ip daddr 10.10.0.72 accept;
tcp dport 3142 ip daddr proxyapt.srv.gov.pf accept;
policy drop;
}
}
@atouboulic
Copy link

atouboulic commented Mar 7, 2022
edited 

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;
                # allow from loopback
                iifname lo accept;
                # established/related connections
                ct state established,related accept;
                # invalid connections
                ct state invalid drop;
                # ping
                icmp type echo-request accept;
                # ssh
                tcp dport ssh ip saddr 192.168.1.11 accept;
                tcp dport ssh ip saddr 10.10.0.10 accept;
                # http/https
                tcp dport {http,https} ip saddr 10.10.2.1 accept;
                tcp dport {http,https} ip saddr 10.10.0.10 accept;
                counter tcp dport {http,https} accept;
                tcp dport {http,https} reject with tcp reset;

                # reject with unreachable for all port
                tcp dport {1-1023} reject with icmp type port-unreachable;

                # default policy
                policy drop;
        }
        chain forward {
                type filter hook forward priority 0;
                # default policy
                policy drop;
        }
        chain output {
                type filter hook output priority 0;
                # allow from loopback
                oifname lo accept;
                # established/related connections
                ct state established,related accept;
                # invalid connections
                ct state invalid drop;
                # ping
                icmp type echo-request accept;
                # default policy
                udp dport 53 ip daddr 192.168.1.100 accept;
                udp dport 53 ip daddr 10.8.0.132 accept;
                tcp dport 5432 ip daddr 10.10.0.72 accept;
                tcp dport 3142 ip daddr proxyapt.srv.gov.pf accept;
                policy drop;
        }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment