diff options
author | Mateja <mail@matejamaric.com> | 2021-04-03 00:37:03 +0200 |
---|---|---|
committer | Mateja <mail@matejamaric.com> | 2021-04-03 00:37:03 +0200 |
commit | a945feb02f6d64df2219ea1044251a7fe2ea98fc (patch) | |
tree | fe0242495eb35317fd5358e403a047657dfa04b5 /firewall/nftables.conf | |
download | misc-a945feb02f6d64df2219ea1044251a7fe2ea98fc.tar.gz misc-a945feb02f6d64df2219ea1044251a7fe2ea98fc.zip |
Initial commit.
Diffstat (limited to 'firewall/nftables.conf')
-rwxr-xr-x | firewall/nftables.conf | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/firewall/nftables.conf b/firewall/nftables.conf new file mode 100755 index 0000000..d5e7f25 --- /dev/null +++ b/firewall/nftables.conf @@ -0,0 +1,33 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + iifname lo accept + ct state established,related accept + tcp dport ssh ct state new accept + tcp dport http ct state new accept + tcp dport https ct state new accept + tcp dport imaps ct state new accept + tcp dport submission ct state new accept + tcp dport smtp ct state new accept + + # ICMP: errors, pings + ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept + # ICMPv6: errors, pings, routing + ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types" + + # Reject other packets + ip protocol tcp reject with tcp reset + } + chain forward { + type filter hook forward priority 0; policy drop; + } + chain output { + type filter hook output priority 0; policy accept; + } +} + +include "/etc/nftables/fail2ban.conf" |