-
Notifications
You must be signed in to change notification settings - Fork 6
/
nftrules_desktop_ipv4
executable file
·106 lines (77 loc) · 2.11 KB
/
nftrules_desktop_ipv4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#!/usr/sbin/nft -f
#
# Author :Julio Sanz
# Website :www.elarraydejota.com
# Email :[email protected]
# Description :nftables desktop ruleset for IPv4 network traffic
# Dependencies :nftables
# License :GPLv3
#
#
# VARIABLES
#
define lan_segment = 192.168.1.0/24
define dns_servers = { 208.67.222.222, 208.67.220.220 }
#
# MAIN
#
flush ruleset
# IPv4
table ip filter {
chain INPUT {
# Filter definition and Default Policy
type filter hook input priority 0; policy drop;
# Drop invalid connections
ct state invalid drop
# Allow loopback
iifname lo accept
# Accept established connections
ct state { established,related } accept
# Allow Steam
udp dport 27015 accept
tcp dport 27015 accept
udp dport { 27031, 27036 } accept
tcp dport { 27036, 27037 } accept
# Allow LAN traffic
ip saddr $lan_segment accept
log prefix "nftables-INPUT-Dropped: "
}
chain FORWARD {
# Filter definition and Default Policy
type filter hook forward priority 0; policy drop;
log prefix "nftables-FORWARD-Dropped: "
}
chain OUTPUT {
# Filter definition and Default Policy
type filter hook output priority 0; policy drop;
# Allow loopback
oifname lo accept
# DNS
ip daddr $dns_servers tcp dport 53 accept
ip daddr $dns_servers udp dport 53 accept
# SSH
tcp dport 22 accept
# HTTP, HTTPS
tcp sport 1024-65535 tcp dport { 80, 443 } accept
# SMTP
tcp dport 587 accept
# Steam
udp dport 27000-27100 accept
udp dport { 3478, 4379, 4380 } accept
# LAN traffic
ip daddr $lan_segment accept
log prefix "nftables-OUTPUT-Dropped: "
}
}
# IPv6
table ip6 filter {
chain INPUT {
type filter hook input priority 0; policy drop;
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain OUTPUT {
type filter hook output priority 0; policy drop;
}
}