| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061 |
- #!/usr/sbin/nft -f
- #
- # Example nftables configuration for letmein.
- #
- flush ruleset
- table inet filter {
- chain LETMEIN-INPUT {
- # This chain will be managed and filled by letmeind.
- # Do NOT put manual rules here.
- # Leave this chain empty in this configuration.
- # letmeind will dynamically insert 'accept' rules here for the leases.
- }
- chain INPUT {
- type filter hook input priority filter; policy drop;
- iifname lo accept
- ct state invalid drop
- ct state related,established accept
- udp dport 32768-60999 accept # ephemeral port range (/proc/sys/net/ipv4/ip_local_port_range)
- meta l4proto ipv6-icmp accept
- meta l4proto icmp accept
- ip protocol igmp accept
- # TODO: Put your static rules here...
- jump LETMEIN-INPUT # Jump to letmein dynamic rules.
- meta l4proto udp drop # Drop all other UDP.
- reject # Reject everything else.
- }
- chain FORWARD {
- type filter hook forward priority filter; policy drop;
- # Put your static rules here...
- reject
- }
- chain OUTPUT {
- type filter hook output priority filter; policy drop;
- oifname lo accept
- ct state related,established accept
- meta l4proto ipv6-icmp accept
- meta l4proto icmp accept
- ip protocol igmp accept
- # TODO: Put your static rules here...
- meta l4proto udp accept # Accept all outgoing UDP.
- meta l4proto tcp accept # Accept all outgoing TCP.
- reject # Reject everything else.
- }
- }
|
