Hi guys,
I tried to cook up a simple example.
Pablo sent me feedback on my example.
First we setup a basic table for IPv4.
table ip means that "ip" implicitly means IPv4.
The input chain is the "incoming" traffic on a machine. For example,
assuming that you have a desktop running SSH, and you would like to
have a simple ruleset which is suitable for a desktop. You'd want to
allow ping (so that you can ping your laptop on the network).
Some deamons bind to localhost interface. It's a good idea to accept
connections on local interface, so this should be allowed.
The rest is rejected.
For example, if your desktop runs a web server on port 80, it won't be
accessible. You need to enable it by adding another rule.
fw.basic:
table ip filter {
chain input {
type filter hook input priority 0;
ct state established,related accept
# accept connections for localhost interface
iif lo accept
# Accept SSH connections on port 22
tcp dport 22 accept
# Allow ICMP packets such as "ping"
ip protocol icmp accept
# Reject any other connections
reject
}
}
You can run this simply by typing:
nft -f fw.basic
Any feedback welcomed.
--
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
