Last active
April 28, 2023 15:14
-
-
Save stackcoder/1e53f8ac4fbe72e346a89f06f810a608 to your computer and use it in GitHub Desktop.
A paranoid's minimal nftable config for Debian
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/sbin/nft -f | |
| flush ruleset | |
| table inet filter { | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| iif lo accept comment "Accept any localhost traffic" | |
| ct state invalid log prefix "Invalid_In " drop comment "Drop invalid connections" | |
| ct state established,related accept comment "Accept traffic originated from us" | |
| ip6 nexthdr {icmpv6} icmpv6 type {nd-neighbor-solicit, nd-neighbor-advert} limit rate 16/second accept comment "Resolve IPv6 to MAC addresses" | |
| ip protocol {icmp} icmp type {echo-request} limit rate 8/second accept comment "Respond to ping" | |
| ip6 nexthdr {icmpv6} icmpv6 type {echo-request} limit rate 8/second accept comment "Respond to ping" | |
| tcp dport ssh ct state new limit rate 15/minute accept comment "Accept ssh logins, avoid brute force" | |
| #meta pkttype broadcast drop comment "Prevent log flood" | |
| counter log prefix "Drop_In " drop comment "Log dropped traffic" | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; policy drop; | |
| counter log prefix "Drop_Forward " drop comment "Log dropped traffic" | |
| } | |
| chain output { | |
| type filter hook output priority 0; policy drop; | |
| oif lo accept comment "Accept any localhost traffic" | |
| ct state invalid log prefix "Invalid_Out " drop comment "Drop invalid connections" | |
| ct state established,related accept comment "Accept traffic originated from us" | |
| ip6 nexthdr {icmpv6} accept comment "Respond to ICMPv6" | |
| meta skuid {_apt} jump out_dns | |
| meta skuid {_apt} jump out_system-updates | |
| meta skuid {systemd-timesync} jump out_dns | |
| meta skuid {systemd-timesync} jump out_ntp | |
| #meta skgid {with-network} jump out_dns | |
| #meta skgid {with-network} jump out_system-updates | |
| #meta skgid {with-network} jump out_ping | |
| counter log flags skuid prefix "Drop_Out " drop comment "Log dropped traffic" | |
| } | |
| chain out_dns { | |
| tcp dport 53 ct state new accept comment "Accept dns" | |
| udp dport 53 ct state new accept comment "Accept dns" | |
| } | |
| chain out_system-updates { | |
| tcp dport {http, https} ct state new accept comment "Accept downloads" | |
| } | |
| chain out_ntp { | |
| udp dport 123 ct state new accept comment "Accept ntp for time synchronization" | |
| } | |
| #chain out_ping { | |
| # ip protocol {icmp, icmpv6} icmp type { echo-request } ct state new accept comment "Accept ping" | |
| #} | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment