44 lines
794 B
Plaintext
44 lines
794 B
Plaintext
#!/usr/sbin/nft -f
|
|
|
|
table inet fw_static {
|
|
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
policy drop;
|
|
|
|
iif "lo" accept
|
|
ct state established,related accept
|
|
|
|
# Public: ICMP (optional)
|
|
$ICMP_PUBLIC_IN_RULES
|
|
|
|
# Public: SSH IN (optional)
|
|
$SSH_PUBLIC_IN_RULE
|
|
|
|
# Private network (in)
|
|
iif "$PRIV_IF" ip saddr $PRIV_NET accept
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
policy drop;
|
|
|
|
oif "lo" accept
|
|
ct state established,related accept
|
|
|
|
# Public: ICMP (optional)
|
|
$ICMP_PUBLIC_OUT_RULES
|
|
|
|
# Public: APT OUT (optional) - includes DNS + HTTP/HTTPS
|
|
$APT_PUBLIC_OUT_RULES
|
|
|
|
# Private network (out)
|
|
oif "$PRIV_IF" ip daddr $PRIV_NET accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
policy drop;
|
|
}
|
|
}
|