45 lines
893 B
Text
45 lines
893 B
Text
#!/usr/bin/nft -f
|
|
# /etc/nftables.conf
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
|
|
# allow established/related connections
|
|
ct state {established, related} counter accept
|
|
|
|
# early drop of invalid connections
|
|
ct state invalid counter drop
|
|
|
|
# allow from loopback
|
|
iifname lo counter accept
|
|
|
|
# allow icmp
|
|
ip protocol icmp counter accept
|
|
ip6 nexthdr icmpv6 counter accept
|
|
|
|
# allow ssh
|
|
# tcp dport ssh counter accept
|
|
|
|
# everything else
|
|
counter reject with icmp type port-unreachable
|
|
}
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
# drop
|
|
}
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
}
|
|
|
|
}
|
|
|
|
table ip nat {
|
|
chain prerouting {
|
|
type nat hook prerouting priority 0;
|
|
}
|
|
chain postrouting {
|
|
type nat hook postrouting priority 0;
|
|
oifname "wlan0" counter masquerade
|
|
}
|
|
}
|