-
Notifications
You must be signed in to change notification settings - Fork 7
/
nftables.conf
117 lines (95 loc) · 4.16 KB
/
nftables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
#!/usr/bin/nft -f
flush ruleset
# ==============================================================================
# constants {{{
# pings to accept (IPv4)
define ICMP_TYPES = {
destination-unreachable,
echo-reply,
echo-request,
parameter-problem,
router-advertisement,
router-solicitation,
time-exceeded
}
# pings to accept (IPv6)
define ICMPV6_TYPES = {
destination-unreachable,
echo-reply,
echo-request,
mld-listener-query,
mld-listener-reduction,
mld-listener-report,
mld2-listener-report,
packet-too-big,
parameter-problem,
time-exceeded
}
# pings to accept with hop limits (IPv6)
# see: https://www.ietf.org/rfc/rfc4890.txt
define ICMPV6_TYPES_LIMIT = {
ind-neighbor-advert,
ind-neighbor-solicit,
nd-neighbor-advert,
nd-neighbor-solicit,
nd-router-advert,
nd-router-solicit
}
# primary internet-connected interface, needed on WireGuard VPN server
define INET_INTERFACE = enp0s3
# WireGuard interface, needed on WireGuard VPN server
define WIREGUARD_INTERFACE = wg0
# WireGuard port, needed on WireGuard VPN server
define WIREGUARD_PORT = 51820
# end constants }}}
# ==============================================================================
table inet filter {
chain base-checks {
# drop invalid connections early
ct state invalid counter log level info prefix "nft#inet#filter#base-checks (drop invalid packets): " drop
# allow established/related connections
ct state {established, related} counter log level info prefix "nft#inet#filter#base-checks (accept all connections related to connections made by us): " accept
}
chain input {
type filter hook input priority 0; policy drop;
# use jump to continue processing after the base checks
jump base-checks
# allow from loopback
iifname lo log level info prefix "nft#inet#filter#input (accept loopback): " accept
iifname != lo ip daddr 127.0.0.1/8 counter log level info prefix "nft#inet#filter#input (drop connections to loopback not coming from loopback): " drop
iifname != lo ip6 daddr ::1/128 counter log level info prefix "nft#inet#filter#input (drop connections to loopback not coming from loopback): " drop
# mitigate ping floods
ip protocol icmp icmp type {echo-reply, echo-request} limit rate over 7/second burst 4 packets drop
ip6 nexthdr icmpv6 icmpv6 type {echo-reply, echo-request} limit rate over 7/second burst 4 packets drop
# allow ICMP and IGMP
ip protocol icmp icmp type $ICMP_TYPES counter log level info prefix "nft#inet#filter#input (accept icmp): " accept
ip6 nexthdr icmpv6 icmpv6 type $ICMPV6_TYPES counter log level info prefix "nft#inet#filter#input (accept icmpv6): " accept
ip6 nexthdr icmpv6 ip6 hoplimit 1 icmpv6 type $ICMPV6_TYPES_LIMIT counter log level info prefix "nft#inet#filter#input (accept icmpv6 with hop limits): " accept
ip6 nexthdr icmpv6 ip6 hoplimit 255 icmpv6 type $ICMPV6_TYPES_LIMIT counter log level info prefix "nft#inet#filter#input (accept icmpv6 with hop limits): " accept
ip protocol igmp counter log level info prefix "nft#inet#filter#input (accept igmp): " accept
# allow SSH, mitigate brute force login attempts
tcp dport ssh ct state new limit rate 7/minute counter log level info prefix "nft#inet#filter#input (accept ssh): " accept
# everything else
include "/etc/nftables/includes/table/inet/filter/input/*.nft"
ip protocol tcp reject with tcp reset
ip protocol udp reject
reject with icmpx type port-unreachable
counter comment "count dropped packets"
counter log level info prefix "nft#inet#filter#input: "
}
chain forward {
type filter hook forward priority 0; policy drop;
jump base-checks
include "/etc/nftables/includes/table/inet/filter/forward/*.nft"
counter comment "count dropped packets"
counter log level info prefix "nft#inet#filter#forward: "
}
chain output {
type filter hook output priority 0; policy accept;
include "/etc/nftables/includes/table/inet/filter/output/*.nft"
counter comment "count accepted packets"
counter log level info prefix "nft#inet#filter#output: "
}
}
include "/etc/nftables/includes/table/*.nft"
# vim: set filetype=conf foldmethod=marker foldlevel=0 nowrap: