Last active
March 7, 2022 20:41
-
-
Save sitle/1a7a59b3d50bd8639393c3b9a371376c to your computer and use it in GitHub Desktop.
Minimal firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/sbin/nft -f | |
flush ruleset | |
table inet filter { | |
chain input { | |
type filter hook input priority 0; | |
# allow from loopback | |
iifname lo accept; | |
# established/related connections | |
ct state established,related accept; | |
# invalid connections | |
ct state invalid drop; | |
# ping | |
icmp type echo-request accept; | |
# ssh | |
tcp dport ssh ip saddr 192.168.1.11 accept; | |
tcp dport ssh ip saddr 10.10.0.10 accept; | |
# http/https | |
tcp dport {http,https} ip saddr 10.10.2.1 accept; | |
tcp dport {http,https} ip saddr 10.10.0.10 accept; | |
counter tcp dport {http,https} accept; | |
tcp dport {http,https} reject with tcp reset; | |
# reject with unreachable for all port | |
tcp dport {1-1023} reject with icmp type port-unreachable; | |
# default policy | |
policy drop; | |
} | |
chain forward { | |
type filter hook forward priority 0; | |
# default policy | |
policy drop; | |
} | |
chain output { | |
type filter hook output priority 0; | |
# allow from loopback | |
oifname lo accept; | |
# established/related connections | |
ct state established,related accept; | |
# invalid connections | |
ct state invalid drop; | |
# ping | |
icmp type echo-request accept; | |
# default policy | |
udp dport 53 ip daddr 192.168.1.100 accept; | |
udp dport 53 ip daddr 10.8.0.132 accept; | |
tcp dport 5432 ip daddr 10.10.0.72 accept; | |
tcp dport 3142 ip daddr proxyapt.srv.gov.pf accept; | |
policy drop; | |
} | |
} |
atouboulic
commented
Mar 7, 2022
•
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment