Jan Schär
500ca36444
Previously, the ssh connection got stuck when first loading the nftables ruleset. I now found the reason for this: conntrack was not active before loading the ruleset, so there was no conntrack entry for the ssh connection. This means the traffic was not matched by 'ct state established', and the other output rules did not allow the traffic. To fix this, we can load a ruleset at boot which uses conntrack; this ensures that conntrack is already enabled when loading the actual ruleset over ssh.
19 lines
471 B
Text
19 lines
471 B
Text
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority filter;
|
|
# Add a rule which references conntrack, to make sure that conntrack is
|
|
# already enabled when we activate a restrictive ruleset.
|
|
ct state { established, related } accept
|
|
}
|
|
chain forward {
|
|
type filter hook forward priority filter;
|
|
}
|
|
chain output {
|
|
type filter hook output priority filter;
|
|
ct state { established, related } accept
|
|
}
|
|
}
|