Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
nftables router
define external = eth0
define internal = eth1
define dhcp_range = 192.168.1
# Clean out the current ruleset
flush ruleset
table firewall {
set blacklist {
type ipv4_addr
set tcp_open_ports {
type inet_service
elements = {
set udp_open_ports {
type inet_service
chain incoming {
type filter hook input priority 0
# established/related connections
ct state established,related accept
# invalid connections
ct state invalid drop
# bad tcp -> avoid network scanning:
tcp flags & (fin|syn) == (fin|syn) drop
tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) drop
tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# no ping floods:
ip protocol icmp limit rate 10/second accept
ip protocol icmp drop
# drop connections from blacklisted addresses
ip saddr @blacklist drop
# accept input from loopback and internal interfaces
iif { lo, $internal } accept
# avoid brute force on ssh:
tcp dport ssh limit rate 15/minute accept
# allow open tcp ports
tcp dport @tcp_open_ports accept
# allow open udp ports
udp dport @udp_open_ports accept
chain forwarding {
type filter hook forward priority 0
iif $external oif $internal ct state established,related accept
iif $internal oif $external accept
chain outgoing {
type filter hook output priority 0
table nat {
map tcp_forwarding {
type inet_service : ipv4_addr
map udp_forwarding {
type inet_service : ipv4_addr
chain prerouting {
type nat hook prerouting priority 0
chain postrouting {
type nat hook postrouting priority 0
oif $external masquerade
# -*- mode: ruby -*-
# vi: set ft=ruby :
# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
# All Vagrant configuration is done here. The most common configuration
# options are documented and commented below. For a complete reference,
# please see the online documentation at
# Every Vagrant virtual environment requires a box to build off of. = 'archlinux64'
config.vm.define 'client' do |client| :private_network, ip: '', auto_config: false
config.vm.define "router", primary: true do |router| :private_network, ip: '', auto_config: false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment