52 lines
869 B
Text
52 lines
869 B
Text
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
|
|
# INPUT
|
|
|
|
chain input {
|
|
type filter hook input priority 0
|
|
policy drop
|
|
|
|
# allow loopback
|
|
iifname lo accept
|
|
# allow established
|
|
ct state vmap { established : accept, related : accept, invalid : drop }
|
|
# allow ping
|
|
icmp type echo-request accept
|
|
icmpv6 type echo-request accept
|
|
# allow neighbour discovery
|
|
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
|
|
|
# rules
|
|
% for rule in sorted(input):
|
|
${rule}
|
|
% endfor
|
|
}
|
|
|
|
# FORWARD
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0
|
|
policy accept
|
|
|
|
# rules
|
|
% for rule in sorted(forward):
|
|
${rule}
|
|
% endfor
|
|
}
|
|
|
|
# OUTPUT
|
|
|
|
chain output {
|
|
type filter hook output priority 0
|
|
policy accept
|
|
|
|
# rules
|
|
% for rule in sorted(output):
|
|
${rule}
|
|
% endfor
|
|
}
|
|
}
|