Difference between revisions of "Simple ruleset for a workstation"

From nftables wiki
Jump to navigation Jump to search
(→‎fw.basic: von https://github.com/QueuingKoala/netfilter-samples/)
Line 12: Line 12:
           iif lo accept
           iif lo accept


           # Accepting ping (icmp-echo-request) can be nice for diagnostic purposes.
           # accepting ping (icmp-echo-request) can be nice for diagnostic purposes.
           # However, it also lets probes discover this host is alive.
           # However, it also lets probes discover this host is alive.
           # This sample accepts them within a certain rate limit:
           # This sample accepts them within a certain rate limit:
          #
           # icmp type echo-request limit rate 5/second packets accept
           # icmp type echo-request limit rate 5/second packets accept
          # examples for opening service-specific ports:
          # ct state new tcp dport 22 accept
          # ct state new tcp dport { 80,443 } accept


           # count and drop any other traffic
           # count and drop any other traffic

Revision as of 05:41, 11 August 2021

fw.basic

table ip filter {
     chain input {
          type filter hook input priority 0;

          # accept traffic originated from us
          ct state established,related accept

          # accept any localhost traffic
          iif lo accept

          # accepting ping (icmp-echo-request) can be nice for diagnostic purposes.
          # However, it also lets probes discover this host is alive.
          # This sample accepts them within a certain rate limit:
          #
          # icmp type echo-request limit rate 5/second packets accept

          # examples for opening service-specific ports:
          # ct state new tcp dport 22 accept
          # ct state new tcp dport { 80,443 } accept

          # count and drop any other traffic
          counter drop
     }
}

fw6.basic

table ip6 filter {
        chain input {
                 type filter hook input priority 0;

                 # accept any localhost traffic
                 iif lo accept

                 # accept traffic originated from us
                 ct state established,related accept

                 # accept neighbour discovery otherwise connectivity breaks
                 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

                 # count and drop any other traffic
                 counter drop
        }
}

fw.inet.basic

The inet table is available from Linux kernel 3.14 and allow to use a dual-stack IPv4/IPv6 table. There is mostly a single change compared to previous ruleset which is the inet keyword.

table inet filter {
        chain input {
                 type filter hook input priority 0;

                 # accept any localhost traffic
                 iif lo accept

                 # accept traffic originated from us
                 ct state established,related accept

                 # accept neighbour discovery otherwise connectivity breaks
                 ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

                 # count and drop any other traffic
                 counter drop
        }
}