1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/usr/sbin/nft -f
flush ruleset
table inet firewall {
chain inbound {
# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets.
ct state established,related accept
# Drop invalid packets.
ct state invalid drop
# Allow loopback traffic.
iifname lo accept
# Allow local vlan traffic.
iifname eth1 accept
# Allow all ICMP and IGMP traffic, but enforce a rate limit
# to help prevent some types of flood attacks.
ip protocol icmp limit rate 5/second accept
ip6 nexthdr ipv6-icmp limit rate 5/second accept
ip protocol igmp limit rate 5/second accept
# Allow SSH on port 22.
tcp dport 22 accept
}
chain forward {
# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;
}
chain outbound {
# Allow all outbound traffic
type filter hook output priority 0; policy accept;
}
}
include "/etc/nftables.d/*.nft"