soios/contestops/config-nftables.conf

49 lines
1.1 KiB
Plaintext

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
ct state invalid drop
ct state { established, related } accept
# Accept loopback
iif lo accept
# Accept ICMP
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# Accept incoming connections to these ports
tcp dport { ssh } accept
reject
}
chain forward {
type filter hook forward priority 0;
reject
}
chain output {
type filter hook output priority 0;
ct state invalid drop
ct state { established, related } accept
# Accept loopback
oif lo accept
# Accept outgoing connections to these addresses
ip daddr { 89.58.34.6 } tcp dport { https } accept
ip daddr { 89.58.34.6 } udp dport { ntp } accept
ip6 daddr { 2a03:4000:64:8::1 } tcp dport { https } accept
ip6 daddr { 2a03:4000:64:8::1 } udp dport { ntp } accept
# Accept any connections by root user
#meta skuid root accept
reject
}
}