diff options
Diffstat (limited to 'firewall/nftables.conf')
-rwxr-xr-x | firewall/nftables.conf | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/firewall/nftables.conf b/firewall/nftables.conf new file mode 100755 index 0000000..d5e7f25 --- /dev/null +++ b/firewall/nftables.conf @@ -0,0 +1,33 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + iifname lo accept + ct state established,related accept + tcp dport ssh ct state new accept + tcp dport http ct state new accept + tcp dport https ct state new accept + tcp dport imaps ct state new accept + tcp dport submission ct state new accept + tcp dport smtp ct state new accept + + # ICMP: errors, pings + ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept + # ICMPv6: errors, pings, routing + ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types" + + # Reject other packets + ip protocol tcp reject with tcp reset + } + chain forward { + type filter hook forward priority 0; policy drop; + } + chain output { + type filter hook output priority 0; policy accept; + } +} + +include "/etc/nftables/fail2ban.conf" |