Skip to content

Instantly share code, notes, and snippets.

@jpetazzo

jpetazzo/nft list ruleset.txt

Created January 3, 2019 20:57
Show Gist options
  • Save jpetazzo/b259ce0071d2443dcc39eafa33ac5ae3 to your computer and use it in GitHub Desktop.
Save jpetazzo/b259ce0071d2443dcc39eafa33ac5ae3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
nft list ruleset.txt
table inet firewalld {
chain raw_PREROUTING {
type filter hook prerouting priority -290; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . iif oif missing drop
jump raw_PREROUTING_ZONES_SOURCE
jump raw_PREROUTING_ZONES
}
chain raw_PREROUTING_ZONES_SOURCE {
}
chain raw_PREROUTING_ZONES {
iifname "wlp4s0" goto raw_PRE_public
goto raw_PRE_public
}
chain mangle_PREROUTING {
type filter hook prerouting priority -140; policy accept;
jump mangle_PREROUTING_ZONES_SOURCE
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_ZONES_SOURCE {
}
chain mangle_PREROUTING_ZONES {
iifname "wlp4s0" goto mangle_PRE_public
goto mangle_PRE_public
}
chain filter_INPUT {
type filter hook input priority 10; policy accept;
ct state established,related accept
iifname "lo" accept
jump filter_INPUT_ZONES_SOURCE
jump filter_INPUT_ZONES
ct state invalid drop
reject with icmpx type admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority 10; policy accept;
ct state established,related accept
iifname "lo" accept
jump filter_FORWARD_IN_ZONES_SOURCE
jump filter_FORWARD_IN_ZONES
jump filter_FORWARD_OUT_ZONES_SOURCE
jump filter_FORWARD_OUT_ZONES
ct state invalid drop
reject with icmpx type admin-prohibited
}
chain filter_INPUT_ZONES_SOURCE {
}
chain filter_INPUT_ZONES {
iifname "wlp4s0" goto filter_IN_public
goto filter_IN_public
}
chain filter_FORWARD_IN_ZONES_SOURCE {
}
chain filter_FORWARD_IN_ZONES {
iifname "wlp4s0" goto filter_FWDI_public
goto filter_FWDI_public
}
chain filter_FORWARD_OUT_ZONES_SOURCE {
}
chain filter_FORWARD_OUT_ZONES {
oifname "wlp4s0" goto filter_FWDO_public
goto filter_FWDO_public
}
chain raw_PRE_public {
jump raw_PRE_public_log
jump raw_PRE_public_deny
jump raw_PRE_public_allow
}
chain raw_PRE_public_log {
}
chain raw_PRE_public_deny {
}
chain raw_PRE_public_allow {
}
chain filter_IN_public {
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport ssh ct state new,untracked accept
ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
}
chain filter_FWDI_public {
jump filter_FWDI_public_log
jump filter_FWDI_public_deny
jump filter_FWDI_public_allow
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_FWDI_public_log {
}
chain filter_FWDI_public_deny {
}
chain filter_FWDI_public_allow {
}
chain mangle_PRE_public {
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain filter_FWDO_public {
jump filter_FWDO_public_log
jump filter_FWDO_public_deny
jump filter_FWDO_public_allow
}
chain filter_FWDO_public_log {
}
chain filter_FWDO_public_deny {
}
chain filter_FWDO_public_allow {
}
}
table ip firewalld {
chain nat_PREROUTING {
type nat hook prerouting priority -90; policy accept;
jump nat_PREROUTING_ZONES_SOURCE
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_ZONES_SOURCE {
}
chain nat_PREROUTING_ZONES {
iifname "wlp4s0" goto nat_PRE_public
goto nat_PRE_public
}
chain nat_POSTROUTING {
type nat hook postrouting priority 110; policy accept;
jump nat_POSTROUTING_ZONES_SOURCE
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_ZONES_SOURCE {
}
chain nat_POSTROUTING_ZONES {
oifname "wlp4s0" goto nat_POST_public
goto nat_POST_public
}
chain nat_PRE_public {
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_POST_public {
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
}
table ip6 firewalld {
chain nat_PREROUTING {
type nat hook prerouting priority -90; policy accept;
jump nat_PREROUTING_ZONES_SOURCE
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_ZONES_SOURCE {
}
chain nat_PREROUTING_ZONES {
iifname "wlp4s0" goto nat_PRE_public
goto nat_PRE_public
}
chain nat_POSTROUTING {
type nat hook postrouting priority 110; policy accept;
jump nat_POSTROUTING_ZONES_SOURCE
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_ZONES_SOURCE {
}
chain nat_POSTROUTING_ZONES {
oifname "wlp4s0" goto nat_POST_public
goto nat_POST_public
}
chain nat_PRE_public {
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_POST_public {
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment