add nftables config
This commit is contained in:
parent
e2794fe0df
commit
454fe253e2
1 changed files with 53 additions and 0 deletions
53
.config/nftables.conf
Normal file
53
.config/nftables.conf
Normal file
|
@ -0,0 +1,53 @@
|
|||
#!/usr/bin/nft -f
|
||||
# vim:set ts=2 sw=2 et:
|
||||
|
||||
# IPv4/IPv6 Simple & Safe firewall ruleset.
|
||||
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
|
||||
|
||||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
set LANv4 {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
|
||||
elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
|
||||
}
|
||||
|
||||
set LANv6 {
|
||||
type ipv6_addr
|
||||
flags interval
|
||||
|
||||
elements = { fd00::/8, fe80::/10 }
|
||||
}
|
||||
|
||||
chain input_lan {
|
||||
udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
|
||||
udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies"
|
||||
}
|
||||
|
||||
chain input {
|
||||
type filter hook input priority filter
|
||||
policy drop
|
||||
|
||||
ct state invalid drop comment "early drop of invalid connections"
|
||||
ct state {established, related} accept comment "allow tracked connections"
|
||||
iifname lo accept comment "allow from loopback"
|
||||
ip protocol icmp accept comment "allow icmp"
|
||||
meta l4proto ipv6-icmp accept comment "allow icmp v6"
|
||||
|
||||
#tcp dport ssh accept comment "allow sshd"
|
||||
udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"
|
||||
udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"
|
||||
|
||||
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
|
||||
ip6 saddr @LANv6 jump input_lan comment "Connections from private IP address ranges"
|
||||
ip saddr @LANv4 jump input_lan comment "Connections from private IP address ranges"
|
||||
counter
|
||||
}
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority filter
|
||||
policy drop
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue