Ugrás a fő tartalomhoz

Simple Stateful Firewall with nftables

The nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames.

Configure a simple firewall for a basic webserver.

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

chain inbound_ipv4 {
icmp type echo-request limit rate 5/second accept

chain inbound_ipv6 {
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
icmpv6 type echo-request limit rate 5/second accept

chain input {
type filter hook input priority 0; policy drop;
ct state { established, related } accept
iifname lo accept
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
tcp dport 22 accept
tcp dport 80 accept
tcp dport 443 accept

chain forward {
type filter hook forward priority 0;

chain output {
type filter hook output priority 0;