Simple ruleset for a workstation: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(Pages using deprecated source tags)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
A very simple set of rules that allows you to initiate communications from your workstation to the Internet but restricts any communication initiation to your workstation (that was not initiated by you).
You can load this file with nft -f.
= fw.basic =
= fw.basic =


<source lang="bash">
For IPv4 only workstation.
 
<syntaxhighlight lang="bash">
flush ruleset
 
table ip filter {
table ip filter {
     chain input {
     chain input {
           type filter hook input priority 0;
           type filter hook input priority 0; policy drop;


           # accept traffic originated from us
           # accept traffic originated from us
Line 11: Line 19:
           # accept any localhost traffic
           # accept any localhost traffic
           iif lo accept
           iif lo accept
          # accepting ping (icmp-echo-request) can be nice for diagnostic purposes.
          # However, it also lets probes discover this host is alive.
          # This sample accepts them within a certain rate limit:
          #
          # icmp type echo-request limit rate 5/second packets accept
          # examples for opening service-specific ports:
          # ct state new tcp dport 22 accept
          # ct state new tcp dport { 80,443 } accept
          # count and drop any other traffic
          counter drop
     }
     }
}
}
</source>
</syntaxhighlight>


= fw6.basic =
= fw6.basic =


<source lang="bash">
For IPv6 only workstation.
 
<syntaxhighlight lang="bash">
flush ruleset
 
table ip6 filter {
table ip6 filter {
         chain input {
         chain input {
                 type filter hook input priority 0;
                 type filter hook input priority 0; policy drop;


                 # accept any localhost traffic
                 # accept any localhost traffic
Line 42: Line 41:


                 # accept neighbour discovery otherwise connectivity breaks
                 # accept neighbour discovery otherwise connectivity breaks
                 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
                 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
 
                # count and drop any other traffic
                counter drop
         }
         }
}
}
</source>
</syntaxhighlight>


= fw.inet.basic =
= fw.inet.basic =


The inet table is available from Linux kernel 3.14 and allow to use a dual-stack IPv4/IPv6 table. There is mostly a
For dual-stack IPv4/IPv6 workstation.
single change compared to previous ruleset which is the ''inet'' keyword.
 
<syntaxhighlight lang="bash">
flush ruleset


<source lang="bash">
table inet filter {
table inet filter {
         chain input {
         chain input {
                 type filter hook input priority 0;
                 type filter hook input priority 0; policy drop;


                 # accept any localhost traffic
                 # accept any localhost traffic
Line 66: Line 63:
                 ct state established,related accept
                 ct state established,related accept


                 # accept neighbour discovery otherwise connectivity breaks
                 # accept neighbour discovery otherwise IPv6 connectivity breaks
                 ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
                 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept


                # count and drop any other traffic
                counter drop
         }
         }
}
}
</source>
</syntaxhighlight>

Latest revision as of 23:51, 8 December 2021

A very simple set of rules that allows you to initiate communications from your workstation to the Internet but restricts any communication initiation to your workstation (that was not initiated by you).

You can load this file with nft -f.

fw.basic

For IPv4 only workstation.

flush ruleset

table ip filter {
     chain input {
          type filter hook input priority 0; policy drop;

          # accept traffic originated from us
          ct state established,related accept

          # accept any localhost traffic
          iif lo accept
     }
}

fw6.basic

For IPv6 only workstation.

flush ruleset

table ip6 filter {
        chain input {
                 type filter hook input priority 0; policy drop;

                 # accept any localhost traffic
                 iif lo accept

                 # accept traffic originated from us
                 ct state established,related accept

                 # accept neighbour discovery otherwise connectivity breaks
                 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
        }
}

fw.inet.basic

For dual-stack IPv4/IPv6 workstation.

flush ruleset

table inet filter {
        chain input {
                 type filter hook input priority 0; policy drop;

                 # accept any localhost traffic
                 iif lo accept

                 # accept traffic originated from us
                 ct state established,related accept

                 # accept neighbour discovery otherwise IPv6 connectivity breaks
                 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

        }
}