Created
February 7, 2026 14:17
-
-
Save Danielk84/495e8e63c6c09204e0bcd12f4de35b2f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/sbin/nft -f | |
| flush ruleset | |
| table inet filter { | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| ct state invalid counter drop comment "Early drop of invalid packets" | |
| ct state {established, related} counter accept comment "Accept all connections related to connections made by us" | |
| meta l4proto icmp icmp type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods" | |
| meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods" | |
| iif lo accept comment "Accept loopback" | |
| iif != lo ip daddr 127.0.0.1/8 counter drop comment "Drop connections to loopback not coming from loopback" | |
| iif != lo ip6 daddr ::1/128 counter drop comment "Drop connections to loopback not coming from loopback" | |
| ip protocol icmp counter accept comment "Accept all ICMP types" | |
| ip6 nexthdr icmpv6 counter accept comment "Accept all ICMP types" | |
| # SSH | |
| tcp dport {ssh} accept | |
| # Web-server ( http/1.1 or http/2 ) | |
| tcp dport {http, https} accept | |
| # web-sertver { http/3 } | |
| # udp dport {https} accept | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; policy drop; | |
| } | |
| chain output { | |
| type filter hook output priority 0; policy accept; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment