config - nftables
“nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014. nftables is supposed to replace certain parts of netfilter, while keeping and reusing most of it.”
config:
edit /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# drop invalid packets
ct state invalid counter drop
# accept ssh, http, and https
tcp dport { 22, 80, 443, 8080 } accept
# accept icmp
ip protocol icmp drop
# count and reject everything else
counter reject with icmpx type admin-prohibited
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
22-09-2019