69 lines
1 KiB
Text
69 lines
1 KiB
Text
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
% if nat:
|
|
table ip nat {
|
|
|
|
# NAT
|
|
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100
|
|
policy accept
|
|
|
|
# rules
|
|
% for rule in sorted(nat):
|
|
${rule}
|
|
% endfor
|
|
}
|
|
}
|
|
% endif
|
|
|
|
table inet filter {
|
|
|
|
# INPUT
|
|
|
|
chain input {
|
|
type filter hook input priority 0
|
|
policy drop
|
|
|
|
# allow loopback
|
|
iifname lo accept
|
|
# allow established
|
|
ct state vmap { established : accept, related : accept, invalid : drop }
|
|
# allow ping
|
|
icmp type echo-request accept
|
|
icmpv6 type echo-request accept
|
|
# allow neighbour discovery
|
|
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
|
|
|
# rules
|
|
% for rule in sorted(input):
|
|
${rule}
|
|
% endfor
|
|
}
|
|
|
|
# FORWARD
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0
|
|
policy accept
|
|
|
|
# rules
|
|
% for rule in sorted(forward):
|
|
${rule}
|
|
% endfor
|
|
}
|
|
|
|
# OUTPUT
|
|
|
|
chain output {
|
|
type filter hook output priority 0
|
|
policy accept
|
|
|
|
# rules
|
|
% for rule in sorted(output):
|
|
${rule}
|
|
% endfor
|
|
}
|
|
}
|