Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/sbin/nft -f
- flush ruleset
- table inet filter {
- chain base_checks {
- # allow established connections
- ct state {established, related} accept
- # early drop of invalid connections
- ct state invalid drop
- }
- chain input {
- type filter hook input priority 0; policy drop
- jump base_checks
- # allow from loopback
- iifname lo accept
- # accept traffic originated from us
- ct state related,established counter accept
- # activate the following line to accept common local services
- tcp dport { 22, 80, 443 } ct state new accept
- # strongswan vpn
- udp dport { 500,4500} counter accept
- #allow icmp
- ip protocol icmp icmp type {echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept
- # accept neighbour discovery otherwise IPv6 connectivity breaks.
- #ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
- # allow encapsulated trafic
- iifname eth0 ip protocol {ah, esp} accept
- # count and drop any other traffic
- reject with icmpx type port-unreachable
- }
- chain forward {
- type filter hook forward priority 0; policy drop
- jump base_checks
- ## allow comming out of the vpn
- ip saddr 172.16.252.0/24 accept
- }
- chain output {
- type filter hook output priority 0; policy accept;
- oifname eth0 ip protocol {ah, esp} accept
- }
- }
- table ip nat {
- chain prerouting {
- type nat hook prerouting priority 0; policy accept;
- #tcp dport dnat
- #udp dport dnat
- }
- chain postrouting {
- type nat hook postrouting priority 100; policy accept;
- #oifname eth0 ip daddr 10.10.10.0/24 accept
- ip saddr 172.16.252.0/24 oif eth0 masquerade
- #masquerade
- }
- }
- include "/etc/nftables/fail2ban.conf"
Add Comment
Please, Sign In to add comment
