dotfiles/.config/nftables.conf

#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.

flush ruleset

table inet filter {
  set LANv4 {
    type ipv4_addr
    flags interval
  
    elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
  }

  set LANv6 {
    type ipv6_addr
    flags interval
  
    elements = { fd00::/8, fe80::/10 }
  }

  chain input_lan {
    udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
    udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies"
  }

  chain input {
    type filter hook input priority filter
    policy drop

    ct state invalid drop comment "early drop of invalid connections"
    ct state {established, related} accept comment "allow tracked connections"
    iifname lo accept comment "allow from loopback"
    ip protocol icmp accept comment "allow icmp"
    meta l4proto ipv6-icmp accept comment "allow icmp v6"

    #tcp dport ssh accept comment "allow sshd"
    udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"
    udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"

    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
    ip6 saddr @LANv6 jump input_lan comment "Connections from private IP address ranges"
    ip saddr @LANv4 jump input_lan comment "Connections from private IP address ranges"
    counter
  }

  chain forward {
    type filter hook forward priority filter
    policy drop
  }
}
add nftables config 2022-02-02 00:12:46 +01:00			`#!/usr/bin/nft -f`
			`# vim:set ts=2 sw=2 et:`

			`# IPv4/IPv6 Simple & Safe firewall ruleset.`
			`# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.`

			`flush ruleset`

			`table inet filter {`
			`set LANv4 {`
			`type ipv4_addr`
			`flags interval`

			`elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }`
			`}`

			`set LANv6 {`
			`type ipv6_addr`
			`flags interval`

			`elements = { fd00::/8, fe80::/10 }`
			`}`

			`chain input_lan {`
			`udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"`
			`udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies"`
			`}`

			`chain input {`
			`type filter hook input priority filter`
			`policy drop`

			`ct state invalid drop comment "early drop of invalid connections"`
			`ct state {established, related} accept comment "allow tracked connections"`
			`iifname lo accept comment "allow from loopback"`
			`ip protocol icmp accept comment "allow icmp"`
			`meta l4proto ipv6-icmp accept comment "allow icmp v6"`

			`#tcp dport ssh accept comment "allow sshd"`
			`udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"`
			`udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"`

			`pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited`
			`ip6 saddr @LANv6 jump input_lan comment "Connections from private IP address ranges"`
			`ip saddr @LANv4 jump input_lan comment "Connections from private IP address ranges"`
			`counter`
			`}`

			`chain forward {`
			`type filter hook forward priority filter`
			`policy drop`
			`}`
			`}`