Copy nftables.conf to /etc/nftables.conf
Install nftables
pacman -S --needed nftables iptables-nft
Enable and start nftables service
systemctl enable nftables
systemctl start nftables
man nft
Last active
May 20, 2022 09:12
-
-
Save popsUlfr/77080b15d6d22f5f2a86b66176ae764f to your computer and use it in GitHub Desktop.
nftables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/nft -f | |
| flush ruleset | |
| define int_docker_mark = 0x3b3 # 947 | |
| define int_cni_mark = 0x3b4 # 948 | |
| define int_phone_macs = { | |
| A8:A0:91:51:40:79 # Pixel Wifi | |
| } | |
| table inet my_filter { | |
| chain input { | |
| type filter hook input priority filter + 10; policy drop; | |
| ct state { established, related } counter accept | |
| ct state invalid counter drop | |
| iifname "lo" accept | |
| meta l4proto { icmp, igmp, ipv6-icmp } counter accept | |
| ct state new jump input_main | |
| counter reject | |
| } | |
| chain input_main { | |
| ip saddr 192.168.0.0/24 tcp dport 22 counter accept comment "SSH" | |
| ether saddr $int_phone_macs counter accept comment "Phones" | |
| } | |
| chain forward { | |
| type filter hook forward priority filter + 10; policy drop; | |
| ct state { established, related } counter accept | |
| meta mark $int_docker_mark accept comment "docker" | |
| meta mark $int_cni_mark accept comment "CNI" | |
| } | |
| chain output { | |
| type filter hook output priority filter + 10; policy accept; | |
| counter | |
| } | |
| } | |
| # iptables-nft compatibility | |
| table ip filter { | |
| chain DOCKER-USER { | |
| meta mark set $int_docker_mark comment "docker" | |
| } | |
| chain CNI-ADMIN { | |
| meta mark set $int_cni_mark comment "CNI" | |
| } | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment