vps/nftables.conf

37 lines
801 B
Text
Executable file

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif lo accept
ct state invalid drop
ct state { established, related } accept
# HTTP & Syncthing Relay
tcp dport { http, https, 5432, 22000 } limit rate 5/second accept
udp dport 22000 limit rate 5/second accept
# SSH
tcp dport 995 limit rate 15/minute accept
# TURN
tcp dport { 3478, 5349 } limit rate 5/second accept
udp dport { 3478, 5349, 49152-49172 } limit rate 5/second accept
# Allow ICMP
meta l4proto icmp limit rate 1/second accept
meta l4proto ipv6-icmp limit rate 1/second accept
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}