33 lines
946 B
Plaintext
33 lines
946 B
Plaintext
#!/usr/bin/nft -f
|
|
# vim:set ts=2 sw=2 et:
|
|
|
|
destroy table inet filter
|
|
destroy table ip filter-custom
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority filter
|
|
policy drop
|
|
|
|
ct state invalid drop comment "early drop of invalid connections"
|
|
ct state {established, related} accept comment "allow tracked connections"
|
|
iif lo accept comment "allow from loopback"
|
|
ip protocol icmp accept comment "allow icmp"
|
|
meta l4proto ipv6-icmp accept comment "allow icmp v6"
|
|
tcp dport ssh accept comment "allow sshd"
|
|
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
|
|
counter
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority filter + 1; policy drop;
|
|
}
|
|
}
|
|
|
|
table ip filter-custom {
|
|
chain forward {
|
|
type filter hook forward priority filter - 1; policy accept;
|
|
ct state established,related accept
|
|
ip saddr 172.16.0.0/12 ip daddr 192.168.0.0/16 drop
|
|
}
|
|
} |