Nftables Webserver Beispiel

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen 
#!/usr/sbin/nft -f

# Flush existing rules

flush ruleset

# Define the main table for filtering

table inet filter {
# Input chain - handles incoming traffic
chain input {
type filter hook input priority filter; policy drop;
    # Accept loopback traffic
    iif lo accept
    
    # Accept established and related connections
    ct state established,related accept
    
    # Accept SSH (port 22) - consider limiting to specific IPs in production
    tcp dport 22 accept
    
    # Accept HTTP (port 80)
    tcp dport 80 accept
    
    # Accept HTTPS (port 443)
    tcp dport 443 accept
   
    # Accept ICMP for ping and network diagnostics
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept
    
    # Log and drop everything else (optional logging)
    # counter log prefix "nftables-dropped: " drop
    counter drop
}

# Forward chain - for routing (usually not needed for web servers)
chain forward {
    type filter hook forward priority filter; policy drop;
}

# Output chain - handles outgoing traffic
chain output {
    type filter hook output priority filter; policy accept;
    
    # Allow all outgoing traffic by default
    # You can add restrictions here if needed
}

}
Abgerufen von „http://wiki.ixheim.de/index.php?title=Nftables_Webserver_Beispiel&oldid=67201