Basic workstation ruleset for nftables
Created at:
/ Last updated at:
The following ruleset allows any outgoing traffic, no forwards and no inputs (except for selected ICMP/ICMPv6, loopback and replies).
ARP is handled by the OS.
flush ruleset
table ip filter {
chain input {
# Drop input by default
type filter hook input priority 0; policy drop;
# Accept traffic originated from this machine
ct state established,related accept
# Allow loopback traffic
iif lo accept
# Allow ICMP
icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded } accept
log prefix "IPv4 denied: "
drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table ipv6 filter {
chain input {
# Drop input by default
type filter hook input priority 0; policy drop;
# Accept traffic originated from this machine
ct state established,related accept
# Allow loopback traffic
iif lo accept
# Allow ICMPv6
icmpv6 type { echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
log prefix "IPv6 denied: "
drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}