Code: /etc/nftables.conf
#!/usr/sbin/nft -f
# drop all rules
flush ruleset
# config
MAIN_INTERFACE = "ens3"
IPv4 = "1.2.3.4"
IPv6 = "2000:beef:beef:beef::1"
# define new rules
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# accept any localhost traffic
iifname lo accept
# accept traffic originated from us
ct state established,related accept
# drop invalid packets
ct state invalid drop
# http and https
iifname $MAIN_INTERFACE tcp dport { 80, 443 } ip daddr $IPv4 accept
iifname $MAIN_INTERFACE tcp dport { 80, 443 } ip6 daddr $IPv6 accept
# ssh
iifname $MAIN_INTERFACE tcp dport 22 ip daddr $IPv4 accept
iifname $MAIN_INTERFACE tcp dport 22 ip6 daddr $IPv6 accept
# Allow ICMPv4: Ping requests | Error messages | Router selection messages
ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } limit rate 4/second accept
# Allow ICMPv6 traffic (https://tools.ietf.org/html/rfc4890#page-18)
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, parameter-problem, echo-reply, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } limit rate 4/second accept
# Allow IGMP
ip protocol igmp limit rate 4/second accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
# drop invalid packets
ct state invalid drop
# reject outgoing SSH/SMTP/SMB/RDP connections
oifname $MAIN_INTERFACE tcp dport { 22, 25, 445, 3389 } reject
}
}
Alles anzeigen
Kannst du dir entsprechend gemäß deinen Vorstellungen erweitern. Die drei Variablen bei config musst du anpassen - wenn du das so ausführst, sperrst du dich aus.
Reloaden kannst du den Haufen mit nft -f /etc/nftables.conf
EDIT:
oder soll ich nftables Deinstallieren und dafür Iptables setzen?
Nein.