49 lines
928 B
Plaintext
49 lines
928 B
Plaintext
#!/usr/bin/nft -f
|
|
# ipv4/ipv6 Simple & Safe Firewall
|
|
# you can find examples in /usr/share/nftables/
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
|
|
# allow established/related connections
|
|
ct state {established, related} accept
|
|
|
|
# early drop of invalid connections
|
|
ct state invalid drop
|
|
|
|
# allow from loopback
|
|
iifname lo accept
|
|
|
|
# allow icmp
|
|
ip protocol icmp accept
|
|
meta l4proto ipv6-icmp accept
|
|
|
|
# Accept from VPN
|
|
iifname overlay accept;
|
|
|
|
# allow ssh
|
|
tcp dport {ssh, http, https, tinc} accept
|
|
udp dport {tinc} accept
|
|
|
|
tcp dport 53 accept
|
|
udp dport 53 accept
|
|
|
|
udp dport 60000-61000 accept
|
|
|
|
# everything else
|
|
reject with icmpx type port-unreachable
|
|
drop;
|
|
}
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
drop
|
|
}
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
}
|
|
|
|
}
|
|
|
|
# vim:set ts=2 sw=2 et:
|