{ "nftables": [ { "metainfo": { "version": "1.0.9", "release_name": "Old Doc Yak #3", "json_schema_version": 1 } }, { "table": { "family": "inet", "name": "filter", "handle": 1 } }, { "chain": { "family": "inet", "table": "filter", "name": "input", "handle": 1, "type": "filter", "hook": "input", "prio": 0, "policy": "drop" } }, { "chain": { "family": "inet", "table": "filter", "name": "forward", "handle": 2, "type": "filter", "hook": "forward", "prio": 0, "policy": "drop" } }, { "chain": { "family": "inet", "table": "filter", "name": "output", "handle": 3, "type": "filter", "hook": "output", "prio": 0, "policy": "accept" } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 4, "comment": "early drop of invalid packets", "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": "invalid" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 6, "comment": "accept all connections related to connections made by us", "expr": [ { "match": { "op": "==", "left": { "ct": { "key": "state" } }, "right": { "set": [ "established", "related" ] } } }, { "counter": { "packets": 0, "bytes": 0 } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 7, "comment": "accept loopback", "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iif" } }, "right": "lo" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 8, "comment": "drop connections to loopback not coming from loopback", "expr": [ { "match": { "op": "!=", "left": { "meta": { "key": "iif" } }, "right": "lo" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "daddr" } }, "right": { "prefix": { "addr": "127.0.0.0", "len": 8 } } } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 9, "comment": "drop connections to loopback not coming from loopback", "expr": [ { "match": { "op": "!=", "left": { "meta": { "key": "iif" } }, "right": "lo" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "daddr" } }, "right": "::1" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 10, "comment": "accept all ICMP types", "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "protocol" } }, "right": "icmp" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 11, "comment": "accept all ICMP types", "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "nexthdr" } }, "right": "ipv6-icmp" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 12, "comment": "accept SSH", "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 22 } }, { "counter": { "packets": 0, "bytes": 0 } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "input", "handle": 13, "comment": "count dropped packets", "expr": [ { "counter": { "packets": 0, "bytes": 0 } } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "forward", "handle": 14, "comment": "count dropped packets", "expr": [ { "counter": { "packets": 0, "bytes": 0 } } ] } }, { "rule": { "family": "inet", "table": "filter", "chain": "output", "handle": 15, "comment": "count accepted packets", "expr": [ { "counter": { "packets": 0, "bytes": 0 } } ] } } ] }