Difference between revisions of "Simple ruleset for a server"
Jump to navigation
Jump to search
(add comment regarding ICMPv6 (per Thomas Landauer)) |
(→nftables.conf: missing closing curly brace) |
||
| (5 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
Here's a very basic example | Here's a very basic example for a web server, you can load the ruleset file with ''nft -f''. | ||
= nftables.conf = | = nftables.conf = | ||
< | <syntaxhighlight lang="bash"> | ||
# | flush ruleset | ||
table inet firewall { | |||
chain inbound_ipv4 { | |||
# accepting ping (icmp-echo-request) for diagnostic purposes. | |||
# However, it also lets probes discover this host is alive. | |||
# This sample accepts them within a certain rate limit: | |||
# | |||
# icmp type echo-request limit rate 5/second accept | |||
} | |||
chain inbound_ipv6 { | |||
# accept neighbour discovery otherwise connectivity breaks | |||
# | # | ||
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept | |||
# accepting ping (icmpv6-echo-request) for diagnostic purposes. | |||
# However, it also lets probes discover this host is alive. | |||
# This sample accepts them within a certain rate limit: | |||
# | |||
# icmpv6 type echo-request limit rate 5/second accept | |||
} | |||
chain inbound { | chain inbound { | ||
# By default, drop all traffic unless it meets a filter | |||
# criteria specified by the rules that follow below. | |||
type filter hook input priority 0; policy drop; | type filter hook input priority 0; policy drop; | ||
# Allow traffic from established and related packets | # Allow traffic from established and related packets, drop invalid | ||
ct state established,related accept | ct state vmap { established : accept, related : accept, invalid : drop } | ||
# Allow loopback traffic. | # Allow loopback traffic. | ||
iifname lo accept | iifname lo accept | ||
# | # Jump to chain according to layer 3 protocol using a verdict map | ||
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 } | |||
ip | |||
# Allow HTTP(S) | # Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443 | ||
# | # for IPv4 and IPv6. | ||
tcp dport { | tcp dport { 22, 80, 443} accept | ||
# Uncomment to enable logging of denied inbound traffic | # Uncomment to enable logging of denied inbound traffic | ||
# log prefix "[nftables] Inbound Denied: " | # log prefix "[nftables] Inbound Denied: " counter drop | ||
} | |||
} | |||
chain forward { | |||
chain forward { | # Drop everything (assumes this device is not a router) | ||
type filter hook forward priority 0; policy drop; | |||
# Drop everything (assumes this device is not a router) | } | ||
type filter hook forward priority 0; policy drop; | |||
# no need to define output chain, default policy is accept if undefined. | |||
} | |||
} | } | ||
</ | </syntaxhighlight> | ||
Latest revision as of 19:34, 31 January 2022
Here's a very basic example for a web server, you can load the ruleset file with nft -f.
nftables.conf
flush ruleset
table inet firewall {
chain inbound_ipv4 {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept
}
chain inbound_ipv6 {
# accept neighbour discovery otherwise connectivity breaks
#
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# accepting ping (icmpv6-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmpv6 type echo-request limit rate 5/second accept
}
chain inbound {
# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback traffic.
iifname lo accept
# Jump to chain according to layer 3 protocol using a verdict map
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
# Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443
# for IPv4 and IPv6.
tcp dport { 22, 80, 443} accept
# Uncomment to enable logging of denied inbound traffic
# log prefix "[nftables] Inbound Denied: " counter drop
}
chain forward {
# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;
}
# no need to define output chain, default policy is accept if undefined.
}