Skip to content

Instantly share code, notes, and snippets.

@rvalente

rvalente/ruleset.nft

Last active November 30, 2024 12:26
Show Gist options
  • Save rvalente/afdc9b6e979166703f1df901c3bba8b5 to your computer and use it in GitHub Desktop.
Save rvalente/afdc9b6e979166703f1df901c3bba8b5 to your computer and use it in GitHub Desktop.
Download ZIP
Nftables Statefull Firewall
Raw
ruleset.nft
#!/usr/sbin/nft -f
flush ruleset
# Interfaces and Networks
define wan = eth0
define lan = eth1
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
# Drop All Martians
meta iif $wan ip saddr { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 } log counter drop
# Drop and Log Invalid Connections
ct state invalid log counter drop
# Allow All Loopback Traffic
meta iif lo ct state new accept
# Allow LAN Inbound Traffic
meta iif $lan ct state new accept
# Respond to ICMP Echo Requests Only
icmp type echo-request accept
# established/related connections
ct state established,related accept
}
chain forward {
type filter hook forward priority 0; policy drop;
# Allow LAN Traffic out the WAN Interface
meta iif $lan meta oif $wan accept
# Allow Related Traffic
meta iif $wan meta oif $lan ct state established,related accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# The first packet in each flow will hit this table; none others will
table ip nat {
chain prerouting {
type nat hook prerouting priority -150;
}
chain postrouting {
type nat hook postrouting priority -150;
oif $wan masquerade persistent
}
}
@williamdes
Copy link

From: https://geotargetly.com/blog/bogon-ip

define ALL_BOGONS_v4 = {
    # "This" network
    0.0.0.0/8,
    # Private-use networks
    10.0.0.0/8,
    # Carrier-grade NAT
    100.64.0.0/10,
    # Loopback
    127.0.0.0/8,
    # Name collision occurrence
    127.0.53.53,
    # Link local
    169.254.0.0/16,
    # Private-use networks
    172.16.0.0/12,
    # IETF protocol assignments
    192.0.0.0/24,
    # TEST-NET-1
    192.0.2.0/24,
    # Private-use networks
    192.168.0.0/16,
    # Network interconnect device benchmark testing
    198.18.0.0/15,
    # TEST-NET-2
    198.51.100.0/24,
    # TEST-NET-3
    203.0.113.0/24,
    # Multicast
    224.0.0.0/4,
    # Reserved for future use
    240.0.0.0/4,
    # Limited broadcast
    255.255.255.255/32
}

iifname $WAN_NIC_NAME ip saddr $ALL_BOGONS_v4 counter drop comment "Drop bogon traffic"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment