-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathnftables.conf
75 lines (65 loc) · 3.37 KB
/
nftables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/sbin/nft -f
#By krabelize | cryptsus.com
#nftables firewall script
define NIC_DATA_NAME = "eth0"
define NIC_DATA_MAC_GW = "DE:AD:BE:EF:01:01"
define NIC_DATA_IP = "192.168.1.12"
define LOCAL_INETW = { 192.168.0.0/16 }
define LOCAL_INETWv6 = { fe80::/10 }
define DNS_SERVERS = { 1.1.1.1, 8.8.8.8 }
#define NTP_SERVERS = { time1.google.com, time2.google.com, time3.google.com, time4.google.com }
define NTP_SERVERS = {216.239.35.0, 216.239.35.4, 216.239.35.8, 216.239.35.12 }
define DHCP_SERVER = "192.168.1.1"
flush ruleset
table arp filter {
chain input {
type filter hook input priority 0; policy accept;
iif $NIC_DATA_NAME limit rate 1/second burst 2 packets accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid drop
iifname "lo" accept
iifname "lo" ip saddr != 127.0.0.0/8 drop
iifname $NIC_DATA_NAME ip saddr 0.0.0.0/0 ip daddr $NIC_DATA_IP tcp sport { ssh, http, https, http-alt } tcp dport 32768-65535 ct state established accept
iifname $NIC_DATA_NAME ip saddr $NTP_SERVERS ip daddr $NIC_DATA_IP udp sport ntp udp dport 32768-65535 ct state established accept
iifname $NIC_DATA_NAME ip saddr $DHCP_SERVER ip daddr $NIC_DATA_IP udp sport bootpc udp dport 32768-65535 ct state established log accept
iifname $NIC_DATA_NAME ip saddr $DNS_SERVERS ip daddr $NIC_DATA_IP udp sport domain udp dport 32768-65535 ct state established accept
iifname $NIC_DATA_NAME ip saddr $LOCAL_INETW ip daddr $NIC_DATA_IP icmp type echo-reply ct state established accept
}
chain output {
type filter hook output priority 0; policy drop;
oifname "lo" accept
oifname "lo" ip daddr != 127.0.0.0/8 drop
oifname $NIC_DATA_NAME ip daddr 0.0.0.0/0 ip saddr $NIC_DATA_IP tcp dport { ssh, http, https, http-alt } tcp sport 32768-65535 ct state new,established accept
oifname $NIC_DATA_NAME ip daddr $NTP_SERVERS ip saddr $NIC_DATA_IP udp dport ntp udp sport 32768-65535 ct state new,established accept
oifname $NIC_DATA_NAME ip daddr $DHCP_SERVER ip saddr $NIC_DATA_IP udp dport bootpc udp sport 32768-65535 ct state new,established log accept
oifname $NIC_DATA_NAME ip daddr $DNS_SERVERS ip saddr $NIC_DATA_IP udp dport domain udp sport 32768-65535 ct state new,established accept
oifname $NIC_DATA_NAME ip daddr $LOCAL_INETW ip saddr $NIC_DATA_IP icmp type echo-request ct state new,established accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
}
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
iifname "lo" accept
iifname "lo" ip6 saddr != ::1/128 drop
iifname $NIC_DATA_NAME ip6 saddr $LOCAL_INETWv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ct state established accept
}
chain output {
type filter hook output priority 0; policy drop;
oifname "lo" accept
oifname "lo" ip6 daddr != ::1/128 drop
oifname $NIC_DATA_NAME ip6 daddr $LOCAL_INETWv6 icmpv6 type echo-request ct state new,established accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
}