46 lines
928 B
Plaintext
Executable File
46 lines
928 B
Plaintext
Executable File
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
|
|
ct state invalid drop
|
|
ct state { established, related } accept
|
|
|
|
# Accept loopback
|
|
iif lo accept
|
|
|
|
# Accept ICMP
|
|
ip protocol icmp accept
|
|
ip6 nexthdr icmpv6 accept
|
|
|
|
# Accept incoming connections to these ports
|
|
tcp dport { ssh } accept
|
|
|
|
reject
|
|
}
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
reject
|
|
}
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
|
|
ct state invalid drop
|
|
ct state { established, related } accept
|
|
|
|
# Accept loopback
|
|
oif lo accept
|
|
|
|
# Accept outgoing connections to these addresses
|
|
ip daddr { 10.0.0.1-10.0.0.9 } accept
|
|
|
|
# Accept any connections by root user
|
|
#meta skuid root accept
|
|
|
|
reject
|
|
}
|
|
}
|