Thank you so much.
Now do I need to have OUTPUT chain before INPUT chain? 'Coz all the examples I've seen so far had INPUT as the first chain.
Side question: Does order of the chains or tables matter... like on other PC, I have "table inet nat" with chains "prerouting/postrouting".
Here's my complete nftables.conf:
xxxxx
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept
---> ip saddr 123.0.0.0/8 counter drop
# Early drop of invalid connections
ct state invalid drop
ct state established,related accept
# ICMP & IGMP
ip saddr 192.168.0.0/16 icmp type echo-request counter accept
icmp type echo-request counter drop
ip protocol igmp drop
# ssh for internal network
ip saddr 192.168.0.0/16 tcp dport 22 counter accept
# Avoid brute force on ssh
tcp dport 22 ct state new limit rate 10/minute accept
# VsFTPD
ip saddr 192.168.0.0/16 tcp dport 20 counter accept
ip saddr 192.168.0.0/16 tcp dport 21 counter accept
ip saddr 192.168.0.0/16 tcp dport 990 counter accept
ip saddr 192.168.0.0/16 tcp dport 40000-50000 counter accept
ct state new drop
# Everything else
drop
log flags all counter drop
log prefix "[nftables] Input Denied: " flags all counter drop
}
chain output {
type filter hook output priority 0; policy accept;
---> ip daddr 123.0.0.0/8 counter reject
}
}
xxxxx
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, October 4, 2019 11:05 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
> Am 04.10.19 um 12:44 schrieb Jags:
>
> > Should I modify it to the following:
> > :::
> > chain output {
> > type filter hook output priority 0; policy accept;
> >
> > ip daddr 123.0.0.0/8 counter reject }
> >
> >
> > :::
> > and
> > :::
> > chain input {
> > type filter hook input priority 0; policy drop;
> >
> > ip saddr 123.0.0.0/8 counter drop }
> >
> >
> > :::
>
> surely, and that on top of the ruleset before any accept-rule, there is
> no point to mention "ct state" when you just want to block communication
> from and to a ip unconditionally
