mbuesch
/
letmein


			
				
					
						
						
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859
							#!/usr/sbin/nft -f
#
# Example nftables configuration for letmein.
#

flush ruleset

table inet filter {
	chain LETMEIN-INPUT {
		# This chain will be managed and filled by letmeind.
		# Do NOT put manual rules here.
		# Leave this chain empty in this configuration.
		# letmeind will dynamically insert 'accept' rules here for the leases.
	}

	chain INPUT {
		type filter hook input priority filter; policy drop;

		iifname lo accept
		ct state invalid drop
		ct state related,established accept
		udp dport 32768-60999 accept # ephemeral port range (/proc/sys/net/ipv4/ip_local_port_range)

		meta l4proto ipv6-icmp accept
		meta l4proto icmp accept

		# TODO: Put your static rules here...

		jump LETMEIN-INPUT # Jump to letmein dynamic rules.

		meta l4proto udp drop # Drop all other UDP.
		reject # Reject everything else.
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;

		# Put your static rules here...

		reject
	}

	chain OUTPUT {
		type filter hook output priority filter; policy drop;

		oifname lo accept
		ct state related,established accept

		meta l4proto ipv6-icmp accept
		meta l4proto icmp accept

		# TODO: Put your static rules here...
		meta l4proto udp accept # Accept all outgoing UDP.
		meta l4proto tcp accept # Accept all outgoing TCP.

		reject # Reject everything else.
	}
}