#!/usr/bin/nft -f
# Example of /etc/nftables.conf content for a server
#
# Reference table:
# https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
flush ruleset
table inet filter {
set SSH_IPv4_clients {
type ipv4_addr
elements = { 192.168.0.1 }
}
set SSH_IPv6_clients {
type ipv6_addr
elements = { fe80::1 }
}
chain input {
type filter hook input priority 0; policy accept;
rt type 0 counter drop comment "disable processing of any RH0 packet to prevent ping-pong"
iifname "lo" accept comment "trust local loopback"
ct state { established, related} counter accept comment "accept established connections"
ct state invalid counter drop comment "drop invalid connections"
ip protocol icmp icmp type 0 icmp code 0 counter accept comment "accept ICMPv4 echo reply"
ip protocol icmp icmp type 3 counter accept comment "accept ICMPv4 dest unreachable"
ip protocol icmp icmp type 8 icmp code 0 counter accept comment "accept ICMPv4 echo request"
ip protocol icmp icmp type 11 counter accept comment "accept ICMPv4 time exceeded"
ip protocol icmp icmp type 12 counter accept comment "accept ICMPv4 parameter problem"
ip6 nexthdr ipv6-icmp icmpv6 type 1 counter accept comment "accept ICMPv6 dest unreachable"
ip6 nexthdr ipv6-icmp icmpv6 type 2 counter accept comment "accept ICMPv6 packet too big"
ip6 nexthdr ipv6-icmp icmpv6 type 3 counter accept comment "accept ICMPv6 time exceeded"
ip6 nexthdr ipv6-icmp icmpv6 type 4 counter accept comment "accept ICMPv6 parameter problem"
ip6 nexthdr ipv6-icmp icmpv6 type 128 icmpv6 code 0 counter accept comment "accept ICMPv6 echo request"
ip6 nexthdr ipv6-icmp icmpv6 type 129 icmpv6 code 0 counter accept comment "accept ICMPv6 echo reply"
ip6 nexthdr ipv6-icmp icmpv6 type 133 icmpv6 code 0 counter accept comment "accept ICMPv6 router solicitation"
ip6 nexthdr ipv6-icmp icmpv6 type 134 icmpv6 code 0 counter accept comment "accept ICMPv6 router advertisement"
ip6 nexthdr ipv6-icmp icmpv6 type 135 icmpv6 code 0 counter accept comment "accept ICMPv6 neighbor solicitation"
ip6 nexthdr ipv6-icmp icmpv6 type 136 icmpv6 code 0 counter accept comment "accept ICMPv6 neighbor advertisement"
#tcp dport 22 counter accept comment "accept SSH"
ip saddr @SSH_IPv4_clients tcp dport 22 counter accept comment "accept SSH from trusted IPv4 clients"
ip6 saddr @SSH_IPv6_clients tcp dport 22 counter accept comment "accept SSH from trusted IPv6 clients"
tcp dport { 80, 443} counter accept comment "accept HTTP and HTTPS"
#tcp dport { 25, 143, 587, 993} counter accept comment "accept SMTP, IMAP, SMTPS, IMAPS"
udp sport 123 udp dport 123 counter accept comment "accept NTP"
tcp dport { 139, 445} counter drop comment "silently drop NetBios"
udp dport { 137, 138} counter drop comment "silently drop NetBios"
meta pkttype broadcast counter drop comment "silently drop unsollicited broadcast"
meta pkttype multicast counter drop comment "silently drop unsollicited multicast"
ip daddr 255.255.255.255/32 counter drop comment "really drop unsollicited IPv4 broadcast"
# Log to NetFilter, so that logs don't fills up and debugging is quick
#limit rate 1/second log prefix "[IN DROP] " comment "log to kernel logs"
counter limit rate 10/second log prefix "[IN DROP] " group 0 comment "log to NFLOG"
ip protocol tcp counter reject with tcp reset comment "reject IPv4 TCP input with TCP RST"
ip6 nexthdr tcp counter reject with tcp reset comment "reject IPv6 TCP input with TCP RST"
ip protocol udp counter reject with icmp type port-unreachable comment "reject IPv4 UDP input with ICMP port unreachable"
ip6 nexthdr udp counter reject with icmpv6 type port-unreachable comment "reject IPv6 UDP input with ICMPv6 port unreachable"
ip protocol icmp counter drop comment "drop IPv4 ICMP input"
ip6 nexthdr icmpv6 counter drop comment "drop IPv6 ICMPv6 input"
counter reject with icmp type prot-unreachable comment "reject unknown IPv4 protocol with ICMP protocol unreachable"
counter reject with icmpx type port-unreachable comment "reject everything remaining with ICMP port unreachable"
}
chain prerouting {
type filter hook prerouting priority 0; policy accept;
# Requires Linux >= 4.10 and nft >= 0.7
fib saddr . iif oif eq 0 counter drop comment "implement Reverse Path filtering"
}
chain forward {
type filter hook forward priority 0; policy drop;
rt type 0 counter drop comment "disable processing of any RH0 packet to prevent ping-pong"
drop
}
chain output {
type filter hook output priority 0; policy accept;
rt type 0 counter drop comment "disable processing of any RH0 packet to prevent ping-pong"
oifname "lo" accept comment "trust local loopback"
ip protocol icmp counter accept comment "accept sending ICMPv4"
ip6 nexthdr ipv6-icmp counter accept comment "accept sending ICMPv6"
tcp flags rst counter accept comment "accept sending TCP RST"
tcp flags & (fin|ack) == fin|ack counter accept comment "accept sending TCP FIN+ACK"
ip daddr 255.255.255.255/32 counter drop comment "do not emit IPv4 broadcast"
ct state invalid counter drop comment "drop invalid connections"
tcp sport { 1024-65535} counter accept comment "accept TCP client"
udp sport { 1024-65535} counter accept comment "accept UDP client"
tcp sport 22 counter accept comment "accept SSH"
tcp sport { 80, 443} counter accept comment "accept HTTP and HTTPS"
#tcp sport { 25, 143, 587, 993} counter accept comment "accept SMTP, IMAP, SMTPS, IMAPS"
udp sport 123 udp dport 123 counter accept comment "accept NTP"
counter limit rate 10/second log prefix "[OUT DROP] " group 0 comment "log to NFLOG"
counter reject
}
}
