35 lines
680 B
Text
Executable file
35 lines
680 B
Text
Executable file
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
iif lo accept
|
|
ct state established,related accept
|
|
ct state invalid drop
|
|
|
|
# Allow ICMP ping
|
|
icmp type echo-request limit rate 1/second accept
|
|
icmpv6 type echo-request limit rate 1/second accept
|
|
|
|
# SSH
|
|
tcp dport 995 limit rate 10/minute accept
|
|
|
|
# HTTP
|
|
tcp dport { http, https } limit rate 5/second accept
|
|
# udp dport 443 limit rate 5/second accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy accept;
|
|
|
|
iif eth0 drop
|
|
oif eth0 drop
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy accept;
|
|
}
|
|
}
|