daeva/nftables-rules.nft


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state invalid counter drop comment "drop invalid packets"
        ct state established,related counter accept comment "accept related connections"
        iif lo counter accept
        iif != lo ip daddr 127.0.0.1/8 counter drop
        iif != lo ip6 daddr ::1/128 counter drop
        ip protocol icmp counter accept
        ip6 nexthdr ipv6-icmp counter accept
        udp dport domain ip saddr 172.16.0.0/12 counter accept
        tcp dport 3000 ip saddr 127.0.0.1/8 counter accept
        tcp dport 8000 ip saddr 127.0.0.1/8 counter accept
        tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
        tcp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect"
        udp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect"
        tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
        counter
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        ct state established,related counter accept
        counter
    }

    chain output {
        type filter hook output priority 0; policy drop;
        ct state established,related counter accept
        icmp type echo-request counter accept
        icmp type echo-reply counter accept
        udp dport domain counter accept
        tcp dport http counter accept
        tcp dport https counter accept
        udp dport https counter accept
        tcp dport ssh counter accept
        tcp dport bootps counter accept
        udp dport bootps counter accept
        tcp dport ntp counter accept
        udp dport ntp counter accept
        tcp dport nntps counter accept
        udp dport nntps counter accept
        tcp dport submission counter accept
        tcp dport imaps counter accept
        tcp dport 2222 counter accept
        tcp dport hkp counter accept
        udp dport hkp counter accept
        tcp dport 9100 counter accept
        tcp dport git counter accept
        udp dport git counter accept
        tcp dport rsync counter accept
        udp dport rsync counter accept
        tcp dport 8000 counter accept
        tcp dport http-alt counter accept
        udp dport openvpn counter accept
        tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
        ip daddr 127.0.0.0/8 counter accept
        tcp dport 5222 counter accept
        tcp dport 6697 counter accept
        tcp dport 2049 ip daddr 10.0.0.0/8 counter accept
        udp dport 2049 ip daddr 10.0.0.0/8 counter accept
        tcp dport 20048 ip daddr 10.0.0.0/8 counter accept
        udp dport 20048 ip daddr 10.0.0.0/8 counter accept
        tcp dport 13052 counter accept
        udp dport 19302-19309 counter accept comment "Google Meet Ports"
        tcp dport 1714-1764 counter accept comment "KDEConnect"
        udp dport 1714-1764 counter accept comment "KDEConnect"
        counter
    }
}