Merge branch 'nftables/first-commit'
This commit is contained in:
commit
1a038c2226
|
@ -0,0 +1,60 @@
|
|||
#!/usr/sbin/nft -f
|
||||
|
||||
#flush ruleset
|
||||
|
||||
table ip filter {
|
||||
chain INPUT {
|
||||
type filter hook input priority 0; policy drop;
|
||||
ct state related,established accept
|
||||
meta l4proto ipv6-icmp accept
|
||||
meta l4proto icmp accept
|
||||
|
||||
meta l4proto udp udp dport 53 accept
|
||||
|
||||
udp dport 53 accept
|
||||
tcp dport 53 accept
|
||||
|
||||
udp dport 6666 accept
|
||||
udp dport 51280 accept
|
||||
|
||||
tcp dport 6073 accept
|
||||
tcp dport 443 accept
|
||||
tcp dport 80 accept
|
||||
tcp dport 22 accept
|
||||
|
||||
ip saddr 127.0.0.0/8 accept
|
||||
}
|
||||
chain FORWARD {
|
||||
type filter hook forward priority 0; policy drop;
|
||||
}
|
||||
chain OUTPUT {
|
||||
type filter hook output priority 0; policy accept;
|
||||
tcp sport 25 drop
|
||||
}
|
||||
}
|
||||
|
||||
table ip6 filter {
|
||||
chain INPUT {
|
||||
type filter hook input priority 0; policy drop;
|
||||
ct state related,established accept
|
||||
meta l4proto ipv6-icmp accept
|
||||
|
||||
udp dport 53 accept
|
||||
tcp dport 53 accept
|
||||
|
||||
tcp dport 6073 accept
|
||||
tcp dport 443 accept
|
||||
tcp dport 80 accept
|
||||
tcp dport 22 accept
|
||||
|
||||
ip6 saddr ::1/128 accept
|
||||
ip6 saddr 2001:470:c844::/48 accept
|
||||
}
|
||||
chain FORWARD {
|
||||
type filter hook forward priority 0; policy accept;
|
||||
}
|
||||
chain OUTPUT {
|
||||
type filter hook output priority 0; policy accept;
|
||||
tcp sport 25 drop
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue