| 192 |
- |
1 |
# Sample configuration for nftables service.
|
|
|
2 |
# Load this by calling 'nft -f /etc/nftables/main.nft'.
|
|
|
3 |
|
|
|
4 |
# Note about base chain priorities:
|
|
|
5 |
# The priority values used in these sample configs are
|
|
|
6 |
# offset by 20 in order to avoid ambiguity when firewalld
|
|
|
7 |
# is also running which uses an offset of 10. This means
|
|
|
8 |
# that packets will traverse firewalld first and if not
|
|
|
9 |
# dropped/rejected there will hit the chains defined here.
|
|
|
10 |
# Chains created by iptables, ebtables and arptables tools
|
|
|
11 |
# do not use an offset, so those chains are traversed first
|
|
|
12 |
# in any case.
|
|
|
13 |
|
|
|
14 |
# drop any existing nftables ruleset
|
|
|
15 |
flush ruleset
|
|
|
16 |
|
|
|
17 |
# a common table for both IPv4 and IPv6
|
|
|
18 |
table inet nftables_svc {
|
|
|
19 |
|
|
|
20 |
# protocols to allow
|
|
|
21 |
set allowed_protocols {
|
|
|
22 |
type inet_proto
|
|
|
23 |
elements = { icmp, icmpv6 }
|
|
|
24 |
}
|
|
|
25 |
|
|
|
26 |
# interfaces to accept any traffic on
|
|
|
27 |
set allowed_interfaces {
|
|
|
28 |
type ifname
|
|
|
29 |
elements = { "lo" }
|
|
|
30 |
}
|
|
|
31 |
|
|
|
32 |
# services to allow
|
|
|
33 |
set allowed_tcp_dports {
|
|
|
34 |
type inet_service
|
|
|
35 |
elements = { ssh, 9090 }
|
|
|
36 |
}
|
|
|
37 |
|
|
|
38 |
# this chain gathers all accept conditions
|
|
|
39 |
chain allow {
|
|
|
40 |
ct state established,related accept
|
|
|
41 |
|
|
|
42 |
meta l4proto @allowed_protocols accept
|
|
|
43 |
iifname @allowed_interfaces accept
|
|
|
44 |
tcp dport @allowed_tcp_dports accept
|
|
|
45 |
}
|
|
|
46 |
|
|
|
47 |
# base-chain for traffic to this host
|
|
|
48 |
chain INPUT {
|
|
|
49 |
type filter hook input priority filter + 20
|
|
|
50 |
policy accept
|
|
|
51 |
|
|
|
52 |
jump allow
|
|
|
53 |
reject with icmpx type port-unreachable
|
|
|
54 |
}
|
|
|
55 |
}
|
|
|
56 |
|
|
|
57 |
# By default, any forwarding traffic is allowed.
|
|
|
58 |
# Uncomment the following line to filter it based
|
|
|
59 |
# on the same criteria as input traffic.
|
|
|
60 |
#include "/etc/nftables/router.nft"
|
|
|
61 |
|
|
|
62 |
# Uncomment the following line to enable masquerading of
|
|
|
63 |
# forwarded traffic. May be used with or without router.nft.
|
|
|
64 |
#include "/etc/nftables/nat.nft"
|