2021-06-13 00:37:06 -04:00
|
|
|
#!/sbin/nft -f
|
|
|
|
|
|
|
|
# References
|
|
|
|
# https://wiki.gentoo.org/wiki/Nftables/Examples
|
|
|
|
# https://wiki.archlinux.org/title/Nftables
|
|
|
|
# https://github.com/krabelize/nftables-firewall-config/blob/master/nftables.conf
|
|
|
|
# https://github.com/atweiden/archvault/blob/master/resources/etc/nftables.conf
|
|
|
|
|
|
|
|
flush ruleset
|
|
|
|
|
|
|
|
# TCP ports to accept (both IPv4 and IPv6)
|
|
|
|
#define ACCEPT_TCP_PORTS = {}
|
|
|
|
|
|
|
|
# UDP ports to accept (both IPv4 and IPv6)
|
|
|
|
#define ACCEPT_UDP_PORTS = {}
|
|
|
|
|
|
|
|
table inet filter {
|
|
|
|
# Default to drop all inbound traffic, unless they meet our criteria
|
|
|
|
chain input {
|
|
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
|
|
|
|
ct state invalid counter drop
|
|
|
|
ct state {established,related} counter accept
|
|
|
|
|
|
|
|
iif lo accept
|
|
|
|
iif != lo ip daddr 127.0.0.1/8 counter drop
|
|
|
|
iif != lo ip6 daddr ::1/128 counter drop
|
|
|
|
|
|
|
|
# Accept user-defined ports
|
|
|
|
#tcp dport $ACCEPT_TCP_PORTS counter accept
|
|
|
|
#udp dport $ACCEPT_UDP_PORTS counter accept
|
|
|
|
|
|
|
|
# Rate limit on SSH port
|
|
|
|
#tcp dport ssh ct state new limit rate 6/minute accept
|
|
|
|
|
|
|
|
# Mitigate ping floods
|
2021-06-14 02:47:54 -04:00
|
|
|
ip protocol icmp icmp type {echo-reply, echo-request} limit rate over 1/second burst 4 packets drop
|
|
|
|
ip6 nexthdr icmpv6 icmpv6 type {echo-reply, echo-request} limit rate over 1/second burst 4 packets drop
|
2021-06-13 00:37:06 -04:00
|
|
|
|
|
|
|
ip protocol icmp icmp type {
|
|
|
|
echo-reply,
|
|
|
|
echo-request,
|
|
|
|
destination-unreachable,
|
|
|
|
time-exceeded,
|
|
|
|
parameter-problem,
|
|
|
|
router-advertisement,
|
|
|
|
router-solicitation
|
|
|
|
} counter accept
|
|
|
|
|
|
|
|
ip6 nexthdr icmpv6 icmpv6 type {
|
|
|
|
echo-reply,
|
|
|
|
echo-request,
|
|
|
|
destination-unreachable,
|
|
|
|
mld-listener-query,
|
|
|
|
mld-listener-reduction,
|
|
|
|
mld-listener-report,
|
|
|
|
mld2-listener-report,
|
|
|
|
packet-too-big,
|
|
|
|
time-exceeded,
|
|
|
|
parameter-problem
|
|
|
|
} counter accept
|
|
|
|
|
|
|
|
counter comment "Count dropped packets"
|
|
|
|
#log prefix "[nftables] Inbound Denied: " flags all counter drop
|
|
|
|
}
|
|
|
|
|
|
|
|
# Route your own packets! I'm not your router.
|
|
|
|
# Can be enabled while using VPN (for tunneling)
|
|
|
|
chain forward {
|
|
|
|
type filter hook forward priority 0; policy drop;
|
|
|
|
counter comment "Count dropped packets"
|
|
|
|
#log prefix "[nftables] Forward Denied: " flags all counter drop
|
|
|
|
}
|
|
|
|
|
|
|
|
# Accept all outbound traffic
|
|
|
|
chain output {
|
|
|
|
type filter hook output priority 0; policy accept;
|
|
|
|
counter comment "Count accepted packets"
|
|
|
|
#log prefix "[nftables] Outbound Accepted: " flags all counter accpet
|
|
|
|
}
|
|
|
|
}
|