-
Notifications
You must be signed in to change notification settings - Fork 1
/
example-router3.nft
47 lines (37 loc) · 1.63 KB
/
example-router3.nft
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/usr/sbin/nft -f
flush ruleset
define TRUSTED_IPV4 = {
1.2.3.0/24,
10.22.8.0/24,
192.168.0.0/16
}
define TRUSTED_IPV6 = {
2001:abcd:2222:100a::/64,
2001:aaaa:9000::/48,
fe80::/10
}
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
meta l4proto icmp icmp type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"
meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"
iif lo accept comment "accept loopback"
iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
ip protocol icmp counter accept comment "accept all ICMP types"
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
# SSH
tcp dport 22 ip saddr {$TRUSTED_IPV4} accept
tcp dport 22 ip6 saddr {$TRUSTED_IPV6} accept
# BGP
tcp dport 179 accept
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}