concept-ha-fw-nftables/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

define iface_intern = enp0s3
define iface_extern = enp0s8

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		iif lo accept
		ct state established,related counter accept
	}
	chain output {
		type filter hook output priority 0; policy drop;
		counter accept comment "Allow all outbound traffic for FW"
	}
	chain global_deny {
		counter
	}
	chain global_accept {
		icmp type echo-request accept
		counter
	}
	chain forward_traffic_in {
		type filter hook forward priority 0; policy drop;
		ct state established,related counter accept comment "Accept already allowed traffic"
		jump global_deny
		jump global_accept
		iif $iface_intern counter goto from_intern
		iif $iface_extern counter goto from_extern
		counter log prefix "DROP forward_traffic_in " drop
	}
	chain forward_traffic_out {
		oif $iface_intern counter goto into_intern
		oif $iface_extern counter goto into_extern
		counter log prefix "DROP forward_traffic_out " drop
	}
	chain from_intern {
		counter log prefix "DROP from_intern " drop
	}
	chain into_intern {
		counter accept
		counter log prefix "DROP into_intern " drop
	}
	chain from_extern {
		counter log prefix "DROP from_extern " drop
	}
	chain into_extern {
		counter accept
		counter log prefix "DROP into_extern " drop
	}
}
Initial import 2019-06-23 21:50:09 +02:00			`#!/usr/sbin/nft -f`

			`flush ruleset`

			`define iface_intern = enp0s3`
			`define iface_extern = enp0s8`

			`table inet filter {`
			`chain input {`
			`type filter hook input priority 0; policy drop;`
			`iif lo accept`
			`ct state established,related counter accept`
			`}`
			`chain output {`
			`type filter hook output priority 0; policy drop;`
			`counter accept comment "Allow all outbound traffic for FW"`
			`}`
			`chain global_deny {`
			`counter`
			`}`
			`chain global_accept {`
			`icmp type echo-request accept`
			`counter`
			`}`
			`chain forward_traffic_in {`
			`type filter hook forward priority 0; policy drop;`
			`ct state established,related counter accept comment "Accept already allowed traffic"`
			`jump global_deny`
			`jump global_accept`
			`iif $iface_intern counter goto from_intern`
			`iif $iface_extern counter goto from_extern`
			`counter log prefix "DROP forward_traffic_in " drop`
			`}`
			`chain forward_traffic_out {`
			`oif $iface_intern counter goto into_intern`
			`oif $iface_extern counter goto into_extern`
			`counter log prefix "DROP forward_traffic_out " drop`
			`}`
			`chain from_intern {`
			`counter log prefix "DROP from_intern " drop`
			`}`
			`chain into_intern {`
			`counter accept`
			`counter log prefix "DROP into_intern " drop`
			`}`
			`chain from_extern {`
			`counter log prefix "DROP from_extern " drop`
			`}`
			`chain into_extern {`
			`counter accept`
			`counter log prefix "DROP into_extern " drop`
			`}`
			`}`