mxyq · January 15, 2023 02:40
diff --git a/nftables.conf b/nftables.conf
 #!/usr/sbin/nft -f

 flush ruleset

 table inet filter {
 	chain ports {
 		tcp dport 33333 counter accept
 	}

 	chain input {
 		type filter hook input priority filter; policy drop;
 		ct state established,related counter accept
 		ct state invalid counter drop
 		iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
 		# ip protocol icmp accept
 		icmpv6 type { echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem } accept
 		iifname lo counter accept
 		ip protocol tcp jump ips
 		ip protocol tcp jump ports
 	}

 	chain ips {
 	}


 	chain forward {
 		type filter hook forward priority 0; policy drop;
 		counter drop comment "Drop forwarded packets since this isn't a router"
 	}

 	chain output {
 		type filter hook output priority 0; policy accept;
 	}
 }
	#!/usr/sbin/nft -f

	flush ruleset

	table inet filter {
	chain ports {
	tcp dport 33333 counter accept
	}

	chain input {
	type filter hook input priority filter; policy drop;
	ct state established,related counter accept
	ct state invalid counter drop
	iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
	# ip protocol icmp accept
	icmpv6 type { echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem } accept
	iifname lo counter accept
	ip protocol tcp jump ips
	ip protocol tcp jump ports
	}

	chain ips {
	}


	chain forward {
	type filter hook forward priority 0; policy drop;
	counter drop comment "Drop forwarded packets since this isn't a router"
	}

	chain output {
	type filter hook output priority 0; policy accept;
	}
	}