My Default Nftables Rules
It’s just a simple note.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set ssh_allow_v4 {
type ipv4_addr
flags interval
elements = {
<my trusted ip list>
}
}
set ssh_allow_v6 {
type ipv6_addr
flags interval
elements = {
<my trusted ipv6 list>
}
}
include "/etc/nftables.d/filter-global-*.conf";
chain input {
type filter hook input priority filter; policy drop;
iif lo counter accept;
iif != lo ip daddr 127.0.0.1/8 counter drop;
iif != lo ip6 daddr ::1/128 counter drop;
ip protocol icmp counter accept;
ip6 nexthdr icmpv6 counter accept;
ip saddr @ssh_allow_v4 tcp dport 22 counter accept;
ip6 saddr @ssh_allow_v6 tcp dport 22 counter accept;
include "/etc/nftables.d/filter-input-*.conf";
ct state {established, related} counter accept;
}
chain forward {
type filter hook forward priority filter; policy drop;
include "/etc/nftables.d/filter-forward-*.conf";
ct state {established, related} counter accept;
}
chain output {
type filter hook output priority filter; policy drop;
oifname "lo" counter accept;
oifname "lo" ip daddr 127.0.0.1/8 counter drop;
oifname "lo" ip6 daddr ::1/128 counter drop;
ip protocol icmp counter accept;
ip6 nexthdr icmpv6 counter accept;
meta l4proto { tcp, udp } th dport 53 counter accept;
udp dport 123 counter accept;
tcp dport {80, 443} counter accept;
meta l4proto { tcp, udp } th dport 1024-65535 counter accept;
include "/etc/nftables.d/filter-output-*.conf";
ct state {established, related} counter accept;
}
}