81 lines
1.5 KiB
Text
81 lines
1.5 KiB
Text
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0
|
|
policy drop
|
|
|
|
tcp flags syn tcp option maxseg size 1-500 drop
|
|
|
|
ct state { established, related } accept
|
|
ct state invalid drop
|
|
|
|
iif lo accept
|
|
|
|
% for address in sorted(blocked_v4):
|
|
ip saddr ${address} drop
|
|
% endfor
|
|
% for address in sorted(blocked_v6):
|
|
ip6 saddr ${address} drop
|
|
% endfor
|
|
|
|
icmp type timestamp-request drop
|
|
icmp type timestamp-reply drop
|
|
meta l4proto {icmp, ipv6-icmp} accept
|
|
|
|
% for ruleset, rules in sorted(input.items()):
|
|
|
|
# ${ruleset}
|
|
% for rule in rules:
|
|
${rule}
|
|
% endfor
|
|
% endfor
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0
|
|
policy accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0
|
|
policy drop
|
|
|
|
icmp type timestamp-request drop
|
|
icmp type timestamp-reply drop
|
|
% for ruleset, rules in sorted(forward.items()):
|
|
|
|
# ${ruleset}
|
|
% for rule in rules:
|
|
${rule}
|
|
% endfor
|
|
% endfor
|
|
}
|
|
}
|
|
|
|
table nat {
|
|
chain prerouting {
|
|
type nat hook prerouting priority -100
|
|
% for ruleset, rules in sorted(prerouting.items()):
|
|
|
|
# ${ruleset}
|
|
% for rule in rules:
|
|
${rule}
|
|
% endfor
|
|
% endfor
|
|
}
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100
|
|
% for ruleset, rules in sorted(postrouting.items()):
|
|
|
|
# ${ruleset}
|
|
% for rule in rules:
|
|
${rule}
|
|
% endfor
|
|
% endfor
|
|
}
|
|
}
|
|
|
|
include "/etc/nftables-rules.d/*-*"
|