Permalink
Cannot retrieve contributors at this time
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
75 lines (65 sloc)
3.37 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/sbin/nft -f | |
| #By krabelize | cryptsus.com | |
| #nftables firewall script | |
| define NIC_DATA_NAME = "eth0" | |
| define NIC_DATA_MAC_GW = "DE:AD:BE:EF:01:01" | |
| define NIC_DATA_IP = "192.168.1.12" | |
| define LOCAL_INETW = { 192.168.0.0/16 } | |
| define LOCAL_INETWv6 = { fe80::/10 } | |
| define DNS_SERVERS = { 1.1.1.1, 8.8.8.8 } | |
| #define NTP_SERVERS = { time1.google.com, time2.google.com, time3.google.com, time4.google.com } | |
| define NTP_SERVERS = {216.239.35.0, 216.239.35.4, 216.239.35.8, 216.239.35.12 } | |
| define DHCP_SERVER = "192.168.1.1" | |
| flush ruleset | |
| table arp filter { | |
| chain input { | |
| type filter hook input priority 0; policy accept; | |
| iif $NIC_DATA_NAME limit rate 1/second burst 2 packets accept | |
| } | |
| chain output { | |
| type filter hook output priority 0; policy accept; | |
| } | |
| } | |
| table ip filter { | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| ct state invalid drop | |
| iifname "lo" accept | |
| iifname "lo" ip saddr != 127.0.0.0/8 drop | |
| iifname $NIC_DATA_NAME ip saddr 0.0.0.0/0 ip daddr $NIC_DATA_IP tcp sport { ssh, http, https, http-alt } tcp dport 32768-65535 ct state established accept | |
| iifname $NIC_DATA_NAME ip saddr $NTP_SERVERS ip daddr $NIC_DATA_IP udp sport ntp udp dport 32768-65535 ct state established accept | |
| iifname $NIC_DATA_NAME ip saddr $DHCP_SERVER ip daddr $NIC_DATA_IP udp sport bootpc udp dport 32768-65535 ct state established log accept | |
| iifname $NIC_DATA_NAME ip saddr $DNS_SERVERS ip daddr $NIC_DATA_IP udp sport domain udp dport 32768-65535 ct state established accept | |
| iifname $NIC_DATA_NAME ip saddr $LOCAL_INETW ip daddr $NIC_DATA_IP icmp type echo-reply ct state established accept | |
| } | |
| chain output { | |
| type filter hook output priority 0; policy drop; | |
| oifname "lo" accept | |
| oifname "lo" ip daddr != 127.0.0.0/8 drop | |
| oifname $NIC_DATA_NAME ip daddr 0.0.0.0/0 ip saddr $NIC_DATA_IP tcp dport { ssh, http, https, http-alt } tcp sport 32768-65535 ct state new,established accept | |
| oifname $NIC_DATA_NAME ip daddr $NTP_SERVERS ip saddr $NIC_DATA_IP udp dport ntp udp sport 32768-65535 ct state new,established accept | |
| oifname $NIC_DATA_NAME ip daddr $DHCP_SERVER ip saddr $NIC_DATA_IP udp dport bootpc udp sport 32768-65535 ct state new,established log accept | |
| oifname $NIC_DATA_NAME ip daddr $DNS_SERVERS ip saddr $NIC_DATA_IP udp dport domain udp sport 32768-65535 ct state new,established accept | |
| oifname $NIC_DATA_NAME ip daddr $LOCAL_INETW ip saddr $NIC_DATA_IP icmp type echo-request ct state new,established accept | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; policy drop; | |
| } | |
| } | |
| table ip6 filter { | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| iifname "lo" accept | |
| iifname "lo" ip6 saddr != ::1/128 drop | |
| iifname $NIC_DATA_NAME ip6 saddr $LOCAL_INETWv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ct state established accept | |
| } | |
| chain output { | |
| type filter hook output priority 0; policy drop; | |
| oifname "lo" accept | |
| oifname "lo" ip6 daddr != ::1/128 drop | |
| oifname $NIC_DATA_NAME ip6 daddr $LOCAL_INETWv6 icmpv6 type echo-request ct state new,established accept | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; policy drop; | |
| } | |
| } |