Nftables Firewall Basis Konfiguration: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 13: | Zeile 13: | ||
'''ct state new tcp dport $local_tcp_ports accept''' | '''ct state new tcp dport $local_tcp_ports accept''' | ||
} | } | ||
| − | + | ||
chain forward { | chain forward { | ||
type filter hook forward priority filter; policy drop; | type filter hook forward priority filter; policy drop; | ||
| Zeile 23: | Zeile 23: | ||
'''ct state new accept''' | '''ct state new accept''' | ||
} | } | ||
| − | + | ||
} | } | ||
Version vom 28. Februar 2023, 16:09 Uhr
Die Basis Konfiguration
- Die Basiskonfiguration besagt das von der Firewall nach aussen alles erlaubt ist.
- Auf die Firewall aber normal nur von innen zugegriffen werden darf.
#!/usr/sbin/nft -f
flush ruleset
define local_tcp_ports = { 22 }
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new iif "lo" accept
ct state new tcp dport $local_tcp_ports accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ct state new accept
}
}