path: root/firewall/nftables.conf



#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		iifname lo accept
		ct state established,related accept
		tcp dport ssh ct state new accept
		tcp dport http ct state new accept
		tcp dport https ct state new accept
		tcp dport imaps ct state new accept
		tcp dport submission ct state new accept
		tcp dport smtp ct state new accept

		# ICMP: errors, pings
		ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
		# ICMPv6: errors, pings, routing
		ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"

		# Reject other packets
		ip protocol tcp reject with tcp reset
	}
	chain forward {
		type filter hook forward priority 0; policy drop;
	}
	chain output {
		type filter hook output priority 0; policy accept;
	}
}

include "/etc/nftables/fail2ban.conf"
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		iifname lo accept
		ct state established,related accept
		tcp dport ssh ct state new accept
		tcp dport http ct state new accept
		tcp dport https ct state new accept
		tcp dport imaps ct state new accept
		tcp dport submission ct state new accept
		tcp dport smtp ct state new accept

		# ICMP: errors, pings
		ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
		# ICMPv6: errors, pings, routing
		ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"

		# Reject other packets
		ip protocol tcp reject with tcp reset
	}
	chain forward {
		type filter hook forward priority 0; policy drop;
	}
	chain output {
		type filter hook output priority 0; policy accept;
	}
}

include "/etc/nftables/fail2ban.conf"