FollieHiyuki-dotfiles/system/etc/nftables.conf

82 lines
2.3 KiB
Plaintext
Raw Normal View History

2021-06-13 00:37:06 -04:00
#!/sbin/nft -f
# References
# https://wiki.gentoo.org/wiki/Nftables/Examples
# https://wiki.archlinux.org/title/Nftables
# https://github.com/krabelize/nftables-firewall-config/blob/master/nftables.conf
# https://github.com/atweiden/archvault/blob/master/resources/etc/nftables.conf
flush ruleset
# TCP ports to accept (both IPv4 and IPv6)
#define ACCEPT_TCP_PORTS = {}
# UDP ports to accept (both IPv4 and IPv6)
#define ACCEPT_UDP_PORTS = {}
table inet filter {
# Default to drop all inbound traffic, unless they meet our criteria
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop
ct state {established,related} counter accept
iif lo accept
iif != lo ip daddr 127.0.0.1/8 counter drop
iif != lo ip6 daddr ::1/128 counter drop
# Accept user-defined ports
#tcp dport $ACCEPT_TCP_PORTS counter accept
#udp dport $ACCEPT_UDP_PORTS counter accept
# Rate limit on SSH port
#tcp dport ssh ct state new limit rate 6/minute accept
# Mitigate ping floods
2021-06-14 02:47:54 -04:00
ip protocol icmp icmp type {echo-reply, echo-request} limit rate over 1/second burst 4 packets drop
ip6 nexthdr icmpv6 icmpv6 type {echo-reply, echo-request} limit rate over 1/second burst 4 packets drop
2021-06-13 00:37:06 -04:00
ip protocol icmp icmp type {
echo-reply,
echo-request,
destination-unreachable,
time-exceeded,
parameter-problem,
router-advertisement,
router-solicitation
} counter accept
ip6 nexthdr icmpv6 icmpv6 type {
echo-reply,
echo-request,
destination-unreachable,
mld-listener-query,
mld-listener-reduction,
mld-listener-report,
mld2-listener-report,
packet-too-big,
time-exceeded,
parameter-problem
} counter accept
counter comment "Count dropped packets"
#log prefix "[nftables] Inbound Denied: " flags all counter drop
}
# Route your own packets! I'm not your router.
# Can be enabled while using VPN (for tunneling)
chain forward {
type filter hook forward priority 0; policy drop;
counter comment "Count dropped packets"
#log prefix "[nftables] Forward Denied: " flags all counter drop
}
# Accept all outbound traffic
chain output {
type filter hook output priority 0; policy accept;
counter comment "Count accepted packets"
#log prefix "[nftables] Outbound Accepted: " flags all counter accpet
}
}