#!/usr/sbin/nft -f flush ruleset # filter table (Firewall function) # ====== ===== ========= ========= table ip IP \ { set TCP_DROP \ { type inet_service elements = { 37, 111, 6000 } } ;# set PROTO set UDP_DROP \ { type inet_service elements = { 37, 137, 138, 512 } } ;# set PROTO set TCP_ACCEPT { type inet_service; flags interval; } # A chain to inspect incoming (to this box) packets from cable modem chain FILTER_INPUT \ { type filter hook input priority 0; policy accept; iif ne "wlan0" accept # Allow icmp but not too many # (only limit pings and other info requests) # N.B. This has to come before allowing related packets icmp type { echo-request, timestamp-request, info-request } \ limit rate 5/second counter accept # Drop the excess icmp type { echo-request, timestamp-request, info-request } counter drop # All other icmp is OK meta l4proto icmp counter accept # Allow established and related pkts ct state established,related counter accept # Drop connection attempts to ports we want to keep private # (because we allow connections from some source ports)(?) # (i.e. drop these w/out logging) tcp dport @TCP_DROP counter drop udp dport @UDP_DROP counter drop # Allow bootps->bootpc udp # (i.e. allow dhcp requests / responses) udp sport . udp dport { 67 . 68 } counter accept # Allow DNS replies udp sport 53 counter accept # Allow server ports tcp dport @TCP_ACCEPT counter accept # bittorrent UDP uses port 1900 at both ends (not in /etc/service) udp sport . udp dport { 1900 . 1900 } counter accept # Drop everything else, logging interesting ones (tcp SYN mainly) counter jump logdrop } ;# chain FILTER_INPUT chain logdrop \ { meta pkttype { broadcast } counter drop tcp flags & fin == fin counter drop counter log prefix "nft: " level debug drop } ;# chain logdrop } ;# table ip IP list ruleset