bundlewrap/bundles/nftables/files/nftables.conf
Franziska Kunsmann 0101e0c92d
All checks were successful
kunsi/bundlewrap/pipeline/pr-main This commit looks good
kunsi/bundlewrap/pipeline/head This commit looks good
bundles/nftables: store rules in dedicated files instead of nftables.conf
2021-12-14 15:27:30 +01:00

47 lines
922 B
Text

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0
policy drop
tcp flags syn tcp option maxseg size 1-500 drop
ct state { established, related } accept
ct state invalid drop
iif lo accept
icmp type timestamp-request drop
icmp type timestamp-reply drop
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
}
chain output {
type filter hook output priority 0
policy accept
}
chain forward {
type filter hook forward priority 0
policy drop
icmp type timestamp-request drop
icmp type timestamp-reply drop
}
}
table nat {
chain prerouting {
type nat hook prerouting priority -100
}
chain postrouting {
type nat hook postrouting priority 100
}
}
include "/etc/nftables-rules.d/*-*"