65 lines
1.4 KiB
Text
65 lines
1.4 KiB
Text
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
|
|
# INPUT
|
|
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
policy drop;
|
|
|
|
# Allow traffic from established and related packets, drop invalid
|
|
ct state vmap { established : accept, related : accept, invalid : drop }
|
|
|
|
# Allow loopback traffic.
|
|
iifname lo accept
|
|
|
|
# accepting ping (icmp-echo-request) for diagnostic purposes.
|
|
icmp type echo-request limit rate 5/second accept
|
|
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
|
|
|
# Jump to chain according to layer 3 protocol using a verdict map
|
|
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
|
|
|
|
#rules
|
|
% for rule in sorted(input):
|
|
${rule}
|
|
% endfor
|
|
}
|
|
|
|
chain inbound_ipv4 {
|
|
# accepting ping (icmp-echo-request) for diagnostic purposes.
|
|
icmp type echo-request limit rate 5/second accept
|
|
}
|
|
|
|
chain inbound_ipv6 {
|
|
# accept neighbour discovery otherwise connectivity breaks
|
|
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
|
|
|
# accepting ping (icmpv6-echo-request) for diagnostic purposes.
|
|
icmpv6 type echo-request limit rate 5/second accept
|
|
}
|
|
|
|
# FORWARD
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
|
|
#rules
|
|
% for rule in sorted(forward):
|
|
${rule}
|
|
% endfor
|
|
}
|
|
|
|
# OUTPUT
|
|
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
|
|
% for rule in sorted(output):
|
|
${rule}
|
|
% endfor
|
|
}
|
|
}
|