nftables: add configuration file.

2024-06-18 23:20:41 +02:00 · 2024-06-18 23:20:41 +02:00 · 4a5262a5d1
parent 3efdeeb28b
commit 4a5262a5d1
1 changed files with 61 additions and 0 deletions
--- a/files/nftables.conf
+++ b/files/nftables.conf
@ -0,0 +1,61 @@
+#!/usr/sbin/nft -f
+
+#flush ruleset
+
+table ip filter {
+	chain INPUT {
+		type filter hook input priority 0; policy drop;
+		ct state related,established accept
+		meta l4proto ipv6-icmp accept
+		meta l4proto icmp accept
+
+		meta l4proto udp udp dport 53 accept
+
+		udp dport 53 accept
+		tcp dport 53 accept
+
+		udp dport 6666 accept
+		udp dport 51280 accept
+		
+		tcp dport 6073 accept
+		tcp dport 443 accept		
+		tcp dport 80 accept
+		tcp dport 22 accept
+
+		ip saddr 127.0.0.0/8 accept
+	}
+	chain FORWARD {
+		type filter hook forward priority 0; policy drop;
+	}
+	chain OUTPUT {
+		type filter hook output priority 0; policy accept;
+		tcp sport 25 drop
+	}
+}
+
+table ip6 filter {
+	chain INPUT {
+		type filter hook input priority 0; policy drop;
+		ct state related,established accept
+		meta l4proto ipv6-icmp accept
+
+		udp dport 53 accept
+		tcp dport 53 accept
+
+		tcp dport 6073 accept
+		tcp dport 443 accept
+		tcp dport 80 accept
+		tcp dport 22 accept
+
+		ip6 saddr ::1/128 accept
+		ip6 saddr 2001:470:c844::/48 accept
+	}
+	chain FORWARD {
+		type filter hook forward priority 0; policy accept;
+	}
+	chain OUTPUT {
+		type filter hook output priority 0; policy accept;
+		tcp sport 25 drop
+	}
+}
+