Skip to content

Instantly share code, notes, and snippets.

@mjf

mjf/πŸ’€.conf

Last active January 10, 2023 15:09
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save mjf/778dc3c55121c7508f577454a2467e03 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save mjf/778dc3c55121c7508f577454a2467e03 to your computer and use it in GitHub Desktop.
Download ZIP
πŸ’€
Raw
πŸ’€.conf
#! /usr/sbin/nft -f
# πŸ’€ aka "absolute" firewall for Linux
flush ruleset
table netdev netdev_rules {
chain netdev_filter_ingress_device_lo {
type filter hook ingress device lo priority 0
policy drop
}
}
table inet inet_rules {
chain inet_filter_ingress_device_lo {
type filter hook ingress device lo priority filter
policy drop
}
chain inet_filter_prerouting {
type filter hook prerouting priority filter
policy drop
}
chain inet_filter_forward {
type filter hook forward priority filter
policy drop
}
chain inet_filter_input {
type filter hook input priority filter
policy drop
}
chain inet_filter_output {
type filter hook output priority filter
policy drop
}
chain inet_filter_postrouting {
type filter hook postrouting priority 0
policy drop
}
chain inet_nat_prerouting {
type nat hook prerouting priority dstnat
policy drop
}
chain inet_nat_input {
type nat hook input priority 0
policy drop
}
chain inet_nat_output {
type nat hook output priority 0
policy drop
}
chain inet_nat_postrouting {
type nat hook postrouting priority srcnat
policy drop
}
chain inet_route_output {
type route hook output priority 0
policy drop
}
}
table ip6 ip6_rules {
chain ip6_filter_prerouting {
type filter hook prerouting priority 0
policy drop
}
chain ip6_filter_forward {
type filter hook forward priority filter
policy drop
}
chain ip6_filter_input {
type filter hook input priority filter
policy drop
}
chain ip6_filter_output {
type filter hook output priority filter
policy drop
}
chain ip6_filter_postrouting {
type filter hook postrouting priority filter
policy drop
}
chain ip6_nat_prerouting {
type nat hook prerouting priority dstnat
policy drop
}
chain ip6_nat_input {
type nat hook input priority 0
policy drop
}
chain ip6_nat_output {
type nat hook output priority 0
policy drop
}
chain ip6_nat_postrouting {
type nat hook postrouting priority srcnat
policy drop
}
chain ip6_route_output {
type route hook output priority 0
policy drop
}
}
table ip ip_rules {
chain ip_filter_prerouting {
type filter hook prerouting priority filter
policy drop
}
chain ip_filter_forward {
type filter hook forward priority filter
policy drop
}
chain ip_filter_input {
type filter hook input priority filter
policy drop
}
chain ip_filter_output {
type filter hook output priority filter
policy drop
}
chain ip_filter_postrouting {
type filter hook postrouting priority filter
policy drop
}
chain ip_nat_prerouting {
type nat hook prerouting priority dstnat
policy drop
}
chain ip_nat_input {
type nat hook input priority 0
policy drop
}
chain ip_nat_output {
type nat hook output priority 0
policy drop
}
chain ip_nat_postrouting {
type nat hook postrouting priority srcnat
policy drop
}
chain ip_route_output {
type route hook output priority 0
policy drop
}
}
table arp arp_rules {
chain arp_filter_input {
type filter hook input priority filter
policy drop
}
chain arp_filter_output {
type filter hook output priority filter
policy drop
}
}
table bridge bridge_rules {
chain bridge_filter_prerouting {
type filter hook prerouting priority filter
policy drop
}
chain bridge_filter_forward {
type filter hook forward priority filter
policy drop
}
chain bridge_filter_input {
type filter hook input priority filter
policy drop
}
chain bridge_filter_output {
type filter hook output priority filter
policy drop
}
chain bridge_filter_postrouting {
type filter hook postrouting priority filter
policy drop
}
}
# vi:ft=nftables
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment