Skip to content

raspi/nftables-stuff

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 

Repository files navigation

nftables-stuff

#!/usr/bin/nft -f

flush ruleset

# Netdev (processed first)
# Requires device name in every hook
table netdev incoming_traffic {
	# netdev - ingress - filter
	chain netdev_filter_ingress_dev_lo {
		type filter hook ingress device lo priority 0; policy drop;
	}

}

# Combined IPv4 & IPv6 rules
table inet firewallrules {
	# inet - ingress - filter
	# Requires device name in hook
	chain inet_filter_ingress_dev_lo {
		type filter hook ingress device lo priority filter; policy drop;
	}

	# inet - prerouting - filter
	chain inet_filter_prerouting {
		type filter hook prerouting priority filter; policy drop;
	}

	# inet - forward - filter
	chain inet_filter_forward {
		type filter hook forward priority filter; policy drop;
	}

	# inet - input - filter
	chain inet_filter_input {
		type filter hook input priority filter; policy drop;
	}

	# inet - output - filter
	chain inet_filter_output {
		type filter hook output priority filter; policy drop;
	}

	# inet - postrouting - filter
	chain inet_filter_postrouting {
		type filter hook postrouting priority 0; policy drop;
	}

	# inet - prerouting - nat
	chain inet_nat_prerouting {
		type nat hook prerouting priority dstnat; policy drop;
	}

	# inet - input - nat
	chain inet_nat_input {
		type nat hook input priority 0; policy drop;
	}

	# inet - output - nat
	chain inet_nat_output {
		type nat hook output priority 0; policy drop;
	}

	# inet - postrouting - nat
	chain inet_nat_postrouting {
		type nat hook postrouting priority srcnat; policy drop;
	}

	# inet - output - route
	chain inet_route_output {
		type route hook output priority 0; policy drop;
	}

}

# IPv6 (please prefer inet type)
table ip6 firewallrulesipv6 {

	# ip6 - prerouting - filter
	chain ip6_filter_prerouting {
		type filter hook prerouting priorityfilter0; policy drop;
	}

	# ip6 - forward - filter
	chain ip6_filter_forward {
		type filter hook forward priority filter; policy drop;
	}

	# ip6 - input - filter
	chain ip6_filter_input {
		type filter hook input priority filter; policy drop;
	}

	# ip6 - output - filter
	chain ip6_filter_output {
		type filter hook output priority filter; policy drop;
	}

	# ip6 - postrouting - filter
	chain ip6_filter_postrouting {
		type filter hook postrouting priority filter; policy drop;
	}

	# ip6 - prerouting - nat
	chain ip6_nat_prerouting {
		type nat hook prerouting priority dstnat; policy drop;
	}

	# ip6 - input - nat
	chain ip6_nat_input {
		type nat hook input priority 0; policy drop;
	}

	# ip6 - output - nat
	chain ip6_nat_output {
		type nat hook output priority 0; policy drop;
	}

	# ip6 - postrouting - nat
	chain ip6_nat_postrouting {
		type nat hook postrouting priority srcnat; policy drop;
	}

	# ip6 - output - route
	chain ip6_route_output {
		type route hook output priority 0; policy drop;
	}

}

# IPv4 (please prefer inet type)
table ip firewallrulesipv4 {

	# ip - prerouting - filter
	chain ip_filter_prerouting {
		type filter hook prerouting priority filter; policy drop;
	}

	# ip - forward - filter
	chain ip_filter_forward {
		type filter hook forward priority filter; policy drop;
	}

	# ip - input - filter
	chain ip_filter_input {
		type filter hook input priority filter; policy drop;
	}

	# ip - output - filter
	chain ip_filter_output {
		type filter hook output priority filter; policy drop;
	}

	# ip - postrouting - filter
	chain ip_filter_postrouting {
		type filter hook postrouting priority filter; policy drop;
	}

	# NAT:

	# ip - prerouting - nat
	chain ip_nat_prerouting {
		type nat hook prerouting priority dstnat; policy drop;
	}

	# ip - input - nat
	chain ip_nat_input {
		type nat hook input priority 0; policy drop;
	}

	# ip - output - nat
	chain ip_nat_output {
		type nat hook output priority 0; policy drop;
	}

	# ip - postrouting - nat
	chain ip_nat_postrouting {
		type nat hook postrouting priority srcnat; policy drop;
	}

	# ROUTING:

	# ip - output - route
	chain ip_route_output {
		type route hook output priority 0; policy drop;
	}

}

# ARP (IPv4)
table arp arprules {

	# arp - input - filter
	chain arp_filter_input {
		type filter hook input priority filter; policy drop;
	}

	# arp - output - filter
	chain arp_filter_output {
		type filter hook output priority filter; policy drop;
	}

}

# Bridging
table bridge bridging {
	# bridge - prerouting - filter
	chain bridge_filter_prerouting {
		type filter hook prerouting priority filter; policy drop;
	}

	# bridge - forward - filter
	chain bridge_filter_forward {
		type filter hook forward priority filter; policy drop;
	}

	# bridge - input - filter
	chain bridge_filter_input {
		type filter hook input priority filter; policy drop;
	}

	# bridge - output - filter
	chain bridge_filter_output {
		type filter hook output priority filter; policy drop;
	}

	# bridge - postrouting - filter
	chain bridge_filter_postrouting {
		type filter hook postrouting priority filter; policy drop;
	}

}

About

No description or website provided.

Topics

nftables nftables-rules

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy