jflopezfernandez · July 14, 2020 15:38
diff --git a/nftables.conf b/nftables.conf
 #!/usr/bin/nft -f

 # Delete all previously established rules
 flush ruleset

 # Local Area Network IPv4 Addresses
 define server1_ipv4 = 192.168.1.2
 define server2_ipv4 = 192.168.1.3

 table inet firewall {
    
    # The following rules apply to packets coming in.
    chain input {

        # Drop all traffic by default, unless it meets
        # one of the filter criteria specified by the
        # rules that follow.
        type filter hook input priority 0; policy drop;

        # Allow established/related connections.
        ct state { established, related } accept

        # Early drop of invalid connections
        # and packets.
        ct state invalid drop

        # Allow traffic from the loopback interface.
        iifname lo accept

        # Allow all ICMP and IGMP traffic, but enforce a
        # rate limit to help prevent some types of flood
        # attacks.
        ip protocol icmp limit rate 4/second accept
        ip6 nexthdr ipv6-icmp limit rate 4/second accept
        ip protocol igmp limit rate 4/second accept

        # Allow HTTP and HTTPS conections from anywhere
        # via both TCP and UDP.
        tcp dport { http, https } accept
        udp dport { http, https } accept

        # Refuse SSH connetions to the server.
        tcp dport ssh reject
    }

    # We're not a router, so we don't need to forward
    # anything. Drop all forward-requested packets.
    chain forward {
        type filter hook forward priority 0
        policy drop
    }

    # Outgoing packets need to be "accepted," otherwise
    # they won't actually make it out.
    chain output {
        
        # Allow all outbound traffic.
        type filter hook output priority 0; policy accept;
    }
 }
	#!/usr/bin/nft -f

	# Delete all previously established rules
	flush ruleset

	# Local Area Network IPv4 Addresses
	define server1_ipv4 = 192.168.1.2
	define server2_ipv4 = 192.168.1.3

	table inet firewall {

	# The following rules apply to packets coming in.
	chain input {

	# Drop all traffic by default, unless it meets
	# one of the filter criteria specified by the
	# rules that follow.
	type filter hook input priority 0; policy drop;

	# Allow established/related connections.
	ct state { established, related } accept

	# Early drop of invalid connections
	# and packets.
	ct state invalid drop

	# Allow traffic from the loopback interface.
	iifname lo accept

	# Allow all ICMP and IGMP traffic, but enforce a
	# rate limit to help prevent some types of flood
	# attacks.
	ip protocol icmp limit rate 4/second accept
	ip6 nexthdr ipv6-icmp limit rate 4/second accept
	ip protocol igmp limit rate 4/second accept

	# Allow HTTP and HTTPS conections from anywhere
	# via both TCP and UDP.
	tcp dport { http, https } accept
	udp dport { http, https } accept

	# Refuse SSH connetions to the server.
	tcp dport ssh reject
	}

	# We're not a router, so we don't need to forward
	# anything. Drop all forward-requested packets.
	chain forward {
	type filter hook forward priority 0
	policy drop
	}

	# Outgoing packets need to be "accepted," otherwise
	# they won't actually make it out.
	chain output {

	# Allow all outbound traffic.
	type filter hook output priority 0; policy accept;
	}
	}