41 lines
1.2 KiB
Plaintext
41 lines
1.2 KiB
Plaintext
#!/usr/bin/nft -f
|
|
# vim:set ts=2 sw=2 et:
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority filter; policy drop;
|
|
|
|
iif lo counter accept comment "accept any localhost traffic"
|
|
ct state { established, related } counter accept comment "accept established,related"
|
|
ct state invalid counter drop comment "drop invalid"
|
|
meta l4proto { icmp, ipv6-icmp } counter accept comment "accept ICMP"
|
|
|
|
tcp dport ssh ct state { new } counter accept comment "accept new SSH connections"
|
|
|
|
counter comment "count any other dropped traffic"
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority filter; policy drop;
|
|
|
|
iif lo counter accept comment "accept any localhost traffic"
|
|
ct state { established, related } counter accept comment "accept established,related"
|
|
ct state invalid counter drop comment "drop invalid"
|
|
meta l4proto { icmp, ipv6-icmp } counter accept comment "accept ICMP"
|
|
|
|
ct state new counter accept comment "accept new outbound connections"
|
|
|
|
counter comment "count any other dropped traffic"
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority filter; policy drop;
|
|
|
|
# Drop everything forwarded to us. This device is not a router and does not forward.
|
|
|
|
counter comment "count dropped traffic"
|
|
}
|
|
}
|