Initial commit.

author: Mateja <mail@matejamaric.com> 2021-04-03 00:37:03 +0200
committer: Mateja <mail@matejamaric.com> 2021-04-03 00:37:03 +0200
commit: a945feb02f6d64df2219ea1044251a7fe2ea98fc (patch)
tree: fe0242495eb35317fd5358e403a047657dfa04b5 /firewall/nftables.conf
download: misc-a945feb02f6d64df2219ea1044251a7fe2ea98fc.tar.gz
misc-a945feb02f6d64df2219ea1044251a7fe2ea98fc.zip
1 files changed, 33 insertions, 0 deletions
diff --git a/firewall/nftables.conf b/firewall/nftables.conf
new file mode 100755
index 0000000..d5e7f25
--- /dev/null
+++ b/firewall/nftables.conf
@@ -0,0 +1,33 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+		iifname lo accept
+		ct state established,related accept
+		tcp dport ssh ct state new accept
+		tcp dport http ct state new accept
+		tcp dport https ct state new accept
+		tcp dport imaps ct state new accept
+		tcp dport submission ct state new accept
+		tcp dport smtp ct state new accept
+
+		# ICMP: errors, pings
+		ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
+		# ICMPv6: errors, pings, routing
+		ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
+
+		# Reject other packets
+		ip protocol tcp reject with tcp reset
+	}
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+	}
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}
+
+include "/etc/nftables/fail2ban.conf"
author	Mateja <mail@matejamaric.com>	2021-04-03 00:37:03 +0200
committer	Mateja <mail@matejamaric.com>	2021-04-03 00:37:03 +0200
commit	a945feb02f6d64df2219ea1044251a7fe2ea98fc (patch)
tree	fe0242495eb35317fd5358e403a047657dfa04b5 /firewall/nftables.conf
download	misc-a945feb02f6d64df2219ea1044251a7fe2ea98fc.tar.gz misc-a945feb02f6d64df2219ea1044251a7fe2ea98fc.zip