Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- table inet nftables_svc {
- # protocols to allow
- set allowed_protocols {
- type inet_proto
- elements = { icmp, icmpv6 }
- }
- # interfaces to accept any traffic on
- set allowed_interfaces {
- type ifname
- elements = { "lo" }
- }
- # services to allow
- set allowed_tcp_dports {
- type inet_service
- elements = { 80,443}
- }
- # this chain gathers all accept conditions
- chain allow {
- ct state established,related accept
- meta l4proto @allowed_protocols accept
- iifname @allowed_interfaces accept
- tcp dport @allowed_tcp_dports accept
- }
- # base-chain for traffic to this host
- chain INPUT {
- type filter hook input priority filter + 20
- policy accept
- jump allow
- reject with icmpx type port-unreachable
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
