meskarune · May 25, 2016 02:16
diff --git a/nftables.conf b/nftables.conf
 #!/usr/bin/nft -f
 # ipv4/ipv6 Simple & Safe Firewall
 # you can find examples in /usr/share/nftables/

 flush ruleset

 table firewall {
  chain incoming {
    type filter hook input priority 0;

    # established/related connections
    ct state established,related accept

    # invalid connections
    ct state invalid drop

    # loopback interface
    iifname lo accept

    # icmp
    ip protocol icmp limit rate 10/second accept
    ip protocol icmp drop

    # sshd (port 22)
    tcp dport ssh limit rate 15/minute accept

    # mosh
    udp dport 60000-60100 limit rate 15/minute accept

    # open webserver ports: http (80), https (443)
    tcp dport {http, https} accept

    # openvpn
    udp dport 1194 limit rate 15/minute accept

    #weechat relay
    tcp dport 9009 accept

    # Flask apps
    tcp dport 5000 accept

    # everything else
    drop
  }
 }

 # vim:set ts=2 sw=2 et:
	#!/usr/bin/nft -f
	# ipv4/ipv6 Simple & Safe Firewall
	# you can find examples in /usr/share/nftables/

	flush ruleset

	table firewall {
	chain incoming {
	type filter hook input priority 0;

	# established/related connections
	ct state established,related accept

	# invalid connections
	ct state invalid drop

	# loopback interface
	iifname lo accept

	# icmp
	ip protocol icmp limit rate 10/second accept
	ip protocol icmp drop

	# sshd (port 22)
	tcp dport ssh limit rate 15/minute accept

	# mosh
	udp dport 60000-60100 limit rate 15/minute accept

	# open webserver ports: http (80), https (443)
	tcp dport {http, https} accept

	# openvpn
	udp dport 1194 limit rate 15/minute accept

	#weechat relay
	tcp dport 9009 accept

	# Flask apps
	tcp dport 5000 accept

	# everything else
	drop
	}
	}

	# vim:set ts=2 sw=2 et: