update `nftables` config
parent
f183fa7b94
commit
bb751513fb
|
@ -1,15 +1,31 @@
|
||||||
#!/usr/sbin/nft -f
|
#!/usr/sbin/nft -f
|
||||||
|
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain input {
|
chain inbound {
|
||||||
type filter hook input priority filter; policy drop;
|
type filter hook input priority 0; policy drop;
|
||||||
# accept any localhost traffic
|
|
||||||
iif lo accept
|
iif lo accept comment "Accept loopback traffic"
|
||||||
# accept traffic originated from us
|
meta l4proto { icmp, ipv6-icmp } accept comment "Accept all icmp/icmpv6 traffic"
|
||||||
ct state established,related accept
|
ct state vmap { established : accept, related : accept, invalid : drop } comment "Allow traffic from established and related connections, drop invalid"
|
||||||
# accept neighbour discovery otherwise connectivity breaks
|
|
||||||
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
tcp dport ssh accept comment "Accept SSH on port 22"
|
||||||
|
udp dport 1194 accept comment "Accept VPN on port 1194"
|
||||||
|
|
||||||
|
# log prefix "[nftables] Inbound Denied: " counter drop comment "Log denied traffic"
|
||||||
|
}
|
||||||
|
chain forward {
|
||||||
|
type filter hook forward priority 0; policy drop;
|
||||||
|
iifname "padova" accept
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
table inet nat {
|
||||||
|
chain prerouting {
|
||||||
|
type nat hook prerouting priority -100;
|
||||||
|
}
|
||||||
|
chain postrouting {
|
||||||
|
type nat hook postrouting priority 100;
|
||||||
|
oifname "eth0" masquerade
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue