54 lines
1.3 KiB
Plaintext
Executable File
54 lines
1.3 KiB
Plaintext
Executable File
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
define iface_intern = enp0s3
|
|
define iface_extern = enp0s8
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
iif lo accept
|
|
ct state established,related counter accept
|
|
}
|
|
chain output {
|
|
type filter hook output priority 0; policy drop;
|
|
counter accept comment "Allow all outbound traffic for FW"
|
|
}
|
|
chain global_deny {
|
|
counter
|
|
}
|
|
chain global_accept {
|
|
icmp type echo-request accept
|
|
counter
|
|
}
|
|
chain forward_traffic_in {
|
|
type filter hook forward priority 0; policy drop;
|
|
ct state established,related counter accept comment "Accept already allowed traffic"
|
|
jump global_deny
|
|
jump global_accept
|
|
iif $iface_intern counter goto from_intern
|
|
iif $iface_extern counter goto from_extern
|
|
counter log prefix "DROP forward_traffic_in " drop
|
|
}
|
|
chain forward_traffic_out {
|
|
oif $iface_intern counter goto into_intern
|
|
oif $iface_extern counter goto into_extern
|
|
counter log prefix "DROP forward_traffic_out " drop
|
|
}
|
|
chain from_intern {
|
|
counter log prefix "DROP from_intern " drop
|
|
}
|
|
chain into_intern {
|
|
counter accept
|
|
counter log prefix "DROP into_intern " drop
|
|
}
|
|
chain from_extern {
|
|
counter log prefix "DROP from_extern " drop
|
|
}
|
|
chain into_extern {
|
|
counter accept
|
|
counter log prefix "DROP into_extern " drop
|
|
}
|
|
}
|