|
 |
f1d1c0 |
# Sample configuration for nftables service.
|
|
|
f1d1c0 |
# Load this by calling 'nft -f /etc/nftables/main.nft'.
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# Note about base chain priorities:
|
|
|
f1d1c0 |
# The priority values used in these sample configs are
|
|
|
f1d1c0 |
# offset by 20 in order to avoid ambiguity when firewalld
|
|
|
f1d1c0 |
# is also running which uses an offset of 10. This means
|
|
|
f1d1c0 |
# that packets will traverse firewalld first and if not
|
|
|
f1d1c0 |
# dropped/rejected there will hit the chains defined here.
|
|
|
f1d1c0 |
# Chains created by iptables, ebtables and arptables tools
|
|
|
f1d1c0 |
# do not use an offset, so those chains are traversed first
|
|
|
f1d1c0 |
# in any case.
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# drop any existing nftables ruleset
|
|
|
f1d1c0 |
flush ruleset
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# a common table for both IPv4 and IPv6
|
|
|
f1d1c0 |
table inet nftables_svc {
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# protocols to allow
|
|
|
f1d1c0 |
set allowed_protocols {
|
|
|
f1d1c0 |
type inet_proto
|
|
|
f1d1c0 |
elements = { icmp, icmpv6 }
|
|
|
f1d1c0 |
}
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# interfaces to accept any traffic on
|
|
|
f1d1c0 |
set allowed_interfaces {
|
|
|
f1d1c0 |
type ifname
|
|
|
f1d1c0 |
elements = { "lo" }
|
|
|
f1d1c0 |
}
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# services to allow
|
|
|
f1d1c0 |
set allowed_tcp_dports {
|
|
|
f1d1c0 |
type inet_service
|
|
|
f1d1c0 |
elements = { ssh, 9090 }
|
|
|
f1d1c0 |
}
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# this chain gathers all accept conditions
|
|
|
f1d1c0 |
chain allow {
|
|
|
f1d1c0 |
ct state established,related accept
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
meta l4proto @allowed_protocols accept
|
|
|
f1d1c0 |
iifname @allowed_interfaces accept
|
|
|
f1d1c0 |
tcp dport @allowed_tcp_dports accept
|
|
|
f1d1c0 |
}
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# base-chain for traffic to this host
|
|
|
f1d1c0 |
chain INPUT {
|
|
|
f1d1c0 |
type filter hook input priority filter + 20
|
|
|
f1d1c0 |
policy accept
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
jump allow
|
|
|
f1d1c0 |
reject with icmpx type port-unreachable
|
|
|
f1d1c0 |
}
|
|
|
f1d1c0 |
}
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# By default, any forwarding traffic is allowed.
|
|
|
f1d1c0 |
# Uncomment the following line to filter it based
|
|
|
f1d1c0 |
# on the same criteria as input traffic.
|
|
|
f1d1c0 |
#include "/etc/nftables/router.nft"
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# Uncomment the following line to enable masquerading of
|
|
|
f1d1c0 |
# forwarded traffic. May be used with or without router.nft.
|
|
|
f1d1c0 |
#include "/etc/nftables/nat.nft"
|