linode-guix-system-configuration/nftables.conf

flush ruleset

table inet my_table {
      set LANv4 {
        type ipv4_addr
        flags interval

        elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
     }

    set LANv6 {
     type ipv6_addr
     flags interval

     elements = { fd00::/8, fe80::/10 }
    }

    chain my_input_lan {
     #   accept Accept NFS
     #   meta l4proto { tcp, udp } th dport 2049

     #   accept PXE
     #   udp sport { bootpc, 4011 } udp dport { bootps, 4011 } accept
     #   accept tftp
     #   udp dport tftp accept
     }

    chain my_input {
        type filter hook input priority filter; policy drop;

        # accept localhost traffic
        iif lo accept
        # drop invalid connections
        ct state invalid drop
        # accept traffic originated from us
        ct state established,related accept

        # accept ICMPv6
        meta l4proto ipv6-icmp accept
        # accept ICMP
        meta l4proto icmp accept
        # accept igmp
        ip protocol igmp accept

        # accept mdns
        udp dport mdns ip6 daddr ff02::fb accept

        # accept mdns
        udp dport mdns ip daddr 224.0.0.251 accept

        # accept private ip ranges
        ip6 saddr @LANv6 jump my_input_lan
        ip saddr @LANv4 jump my_input_lan

        # allow ssh access
        tcp dport ssh accept

        # allow IPP/IPPs whatever that is
        # tcp dport ipp accept

        # allow http and https
        tcp dport { http, https, 8008, 8080 } accept
        # Accept DHCPDISCOVER (for DHCP-Proxy)
        udp sport bootpc udp dport bootps ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept
        }

    chain my_forward {
          type filter hook forward priority filter; policy drop;
          # Drop everything forwarded to us. We do not forward. That is routers job.
    }

    chain my_output {
        type filter hook output priority filter; policy accept;
        # Accept every outbound connection
    }

}