vps/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;

		iif lo accept
		
		ct state invalid drop
		ct state { established, related } accept

		# Allow ICMP ping
		meta nfproto ipv4 icmp type echo-request limit rate 1/second accept
		meta nfproto ipv6 icmpv6 type echo-request limit rate 1/second accept
				
		# SSH
		tcp dport 995 limit rate 15/minute accept

		# HTTP
		tcp dport { http, https } limit rate 25/second accept
	}

	chain forward {
		type filter hook forward priority 0; policy accept;
	}
	
	chain output {
		type filter hook output priority 0; policy accept;
	}
}
fjeaj 2023-11-22 08:26:10 +01:00			`#!/usr/sbin/nft -f`

			`flush ruleset`

			`table inet filter {`
			`chain input {`
			`type filter hook input priority 0; policy drop;`

			`iif lo accept`
Maj nftables 2023-11-29 08:32:08 +01:00
fjeaj 2023-11-22 08:26:10 +01:00			`ct state invalid drop`
Maj nftables 2023-11-29 08:32:08 +01:00			`ct state { established, related } accept`
fjeaj 2023-11-22 08:26:10 +01:00
			`# Allow ICMP ping`
Maj nftables 2023-11-29 08:32:08 +01:00			`meta nfproto ipv4 icmp type echo-request limit rate 1/second accept`
			`meta nfproto ipv6 icmpv6 type echo-request limit rate 1/second accept`
fjeaj 2023-11-22 08:26:10 +01:00
			`# SSH`
Maj nftables 2023-11-29 08:32:08 +01:00			`tcp dport 995 limit rate 15/minute accept`
fjeaj 2023-11-22 08:26:10 +01:00
			`# HTTP`
Maj nftables 2023-11-29 08:32:08 +01:00			`tcp dport { http, https } limit rate 25/second accept`
fjeaj 2023-11-22 08:26:10 +01:00			`}`

			`chain forward {`
			`type filter hook forward priority 0; policy accept;`
			`}`

			`chain output {`
			`type filter hook output priority 0; policy accept;`
			`}`
			`}`