#!/usr/sbin/nft -f # vim: set ts=4 sw=4: # You can find examples in /usr/share/nftables/. # Clear all prior state flush ruleset # Basic IPv4/IPv6 stateful firewall for server/workstation. table inet filter { chain input { type filter hook input priority 0; policy drop; iifname lo accept \ comment "Accept any localhost traffic" ct state { established, related } accept \ comment "Accept traffic originated from us" ct state invalid drop \ comment "Drop invalid connections" tcp dport 113 reject with icmpx type port-unreachable \ comment "Reject AUTH to make it fail fast" # ICMPv4 ip protocol icmp icmp type { echo-reply, # type 0 destination-unreachable, # type 3 echo-request, # type 8 time-exceeded, # type 11 parameter-problem, # type 12 } accept \ comment "Accept ICMP" # ICMPv6 ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, # type 1 packet-too-big, # type 2 time-exceeded, # type 3 parameter-problem, # type 4 echo-request, # type 128 echo-reply, # type 129 } accept \ comment "Accept basic IPv6 functionality" ip6 nexthdr icmpv6 icmpv6 type { nd-router-solicit, # type 133 nd-router-advert, # type 134 nd-neighbor-solicit, # type 135 nd-neighbor-advert, # type 136 } ip6 hoplimit 255 accept \ comment "Allow IPv6 SLAAC" ip6 nexthdr icmpv6 icmpv6 type { mld-listener-query, # type 130 mld-listener-report, # type 131 mld-listener-reduction, # type 132 mld2-listener-report, # type 143 } ip6 saddr fe80::/10 accept \ comment "Allow IPv6 multicast listener discovery on link-local" ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \ comment "Accept DHCPv6 replies from IPv6 link-local addresses" } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy accept; } } # The state of stateful objects saved on the nftables service stop. include "/var/lib/nftables/*.nft" # Rules include "/etc/nftables.d/*.nft"