vps/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;

		iif lo accept
		ct state established,related accept
		ct state invalid drop

		# Allow ICMP ping
		icmp type echo-request limit rate 1/second accept
		icmpv6 type echo-request limit rate 1/second accept
				
		# SSH
		tcp dport 995 limit rate 10/minute accept

		# HTTP
		tcp dport { http, https } limit rate 5/second accept
		# udp dport 443 limit rate 5/second accept
	}

	chain forward {
		type filter hook forward priority 0; policy accept;

		iif eth0 drop
		oif eth0 drop
	}
	
	chain output {
		type filter hook output priority 0; policy accept;
	}
}
fjeaj 2023-11-22 08:26:10 +01:00			`#!/usr/sbin/nft -f`

			`flush ruleset`

			`table inet filter {`
			`chain input {`
			`type filter hook input priority 0; policy drop;`

			`iif lo accept`
			`ct state established,related accept`
			`ct state invalid drop`

			`# Allow ICMP ping`
			`icmp type echo-request limit rate 1/second accept`
			`icmpv6 type echo-request limit rate 1/second accept`

			`# SSH`
			`tcp dport 995 limit rate 10/minute accept`

			`# HTTP`
			`tcp dport { http, https } limit rate 5/second accept`
			`# udp dport 443 limit rate 5/second accept`
			`}`

			`chain forward {`
			`type filter hook forward priority 0; policy accept;`

			`iif eth0 drop`
			`oif eth0 drop`
			`}`

			`chain output {`
			`type filter hook output priority 0; policy accept;`
			`}`
			`}`