On Tue, Aug 18, 2020 at 07:12:38AM +0200, Mario V Guenzi wrote:
> Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto:
> > Hi,
>
> > You can set default policy to drop wehn defining the chain (in the
> > same go), no need to call it twice, my suggestion for your ruleset is
> > to place this in ruleset.nft:
> >
> > add table inet firewall
> > add table inet nat
> > add table netdev noddos
> >
> > add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
> > add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
> > add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
> > ...
> >
> > my rules
> > my rules
> > my rules
> >
>
> At first many thanks.
> another question given your kindness,
> I can use bash only to define my variables eg
> EXTIF = "eth0"
> LAN = "192.168.2.0/24"
> etc
> use the variables defined in writing the rules.nft file as per your
> example and then write
> nft -f /path/rules.nft in my bash script?
You can define variables in nftables, e.g.
define EXTIF = "eth0"
add rule inet firewall INPUT iifname $EXTIF accept
