This template will permit all outbound and forward traffic - only inbound traffic will be restricted. Usually the firewall will be stored in /etc/nftables.conf for Debian or /etc/sysconfig/nftables.conf for RedHat based hosts.
The only service permitted inbound is SSH.
The firewall applies to both IPv4 and IPv6 traffic.
For convenience, two address sets have been created which allow blocking of traffic for a set period of time (1 day in this case) before timing out automatically.
To use them:
nft add element inet filter input_timeout_ipv4 '{ 192.0.2.1, 192.0.2.250 }'
nft add element inet filter input_timeout_ipv6 '{ 2001:0db8::4 }'
This firewall will not use any counters for accepted/dropped traffic.
#!/usr/sbin/nft -f
# Flush existing rules
flush ruleset
# Create inet filter table
table inet filter {
# Set default policy for forward traffic to drop
chain forward {
type filter hook forward priority 0; policy drop
}
# IPv4 IP's listed in this set will have all inbound IPv4 traffic dropped for 24 hours
# To add IP's to the set:
# nft add element inet filter input_timeout_ipv4 '{ 192.0.2.1, 192.0.2.250 }'
set input_timeout_ipv4 {
type ipv4_addr
flags timeout, interval
timeout 1d
}
# IPv6 IP's listed in this set will have all inbound IPv6 traffic dropped for 24 hours
# To add IP's to the set:
# nft add element inet filter input_timeout_ipv6 '{ 2001:0db8::4 }'
set input_timeout_ipv6 {
type ipv6_addr
flags timeout, interval
timeout 1d
}
# Add input (inbound) rules
chain input {
type filter hook input priority 0; policy drop
# Drop traffic early
ip saddr @input_timeout_ipv4 drop comment "Early drop IPv4 traffic from the prefixes listed in input_timeout_ipv4"
ip6 saddr @input_timeout_ipv6 drop comment "Early drop IPv6 traffic from the prefixes listed in input_timeout_ipv6"
# Permit all established connections
ct state established,related accept comment "Permit established/related connections"
# Permit all loopback
iif lo accept comment "Permit all traffic via loopback interface"
# Drop TCP traffic with invalid flags
## New !SYN
tcp flags != syn ct state new limit rate 30/minute burst 5 packets counter log prefix "IN - New !SYN: " comment "Log new connections that do not have the SYN TCP flag set"
tcp flags != syn ct state new drop comment "Drop new connections that do not have the SYN TCP flag set"
## tcp flags & (fin|syn) == (fin|syn)
tcp flags & (fin|syn) == (fin|syn) limit rate 30/minute burst 5 packets counter log prefix "IN - Scan 1: " comment "Log common port scan traffic"
tcp flags & (fin|syn) == (fin|syn) drop comment "Drop common port scan traffic"
## tcp flags & (syn|rst) == (syn|rst)
tcp flags & (syn|rst) == (syn|rst) limit rate 30/minute burst 5 packets counter log prefix "IN - Scan 2: " comment "Log common port scan traffic"
tcp flags & (syn|rst) == (syn|rst) drop comment "Drop common port scan traffic"
## tcp flags & (fin|syn|rst|psh|ack|urg) < (fin)
tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) limit rate 30/minute burst 5 packets counter log prefix "IN - Scan 3:" comment "Log common port scan traffic"
tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) drop comment "Drop common port scan traffic"
## tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)
tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) limit rate 30/minute burst 5 packets counter log prefix "IN - Scan 4:" comment "Drop common port scan traffic"
tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop comment "Drop common port scan traffic"
# Drop invalid connection state traffic
ct state invalid limit rate 30/minute burst 5 packets counter log flags all prefix "IN - Invalid: " comment "Log traffic with invalid connection state"
ct state invalid drop comment "Drop traffic with invalid connection state"
# Allow SSH
tcp dport ssh ct state new accept comment "Permit inbound SSH"
# Permit and rate limit required ICMPv6 types
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, ind-neighbor-advert, ind-neighbor-solicit,
mld-listener-query, mld-listener-reduction, mld-listener-report,
mld2-listener-report, nd-neighbor-advert, nd-neighbor-solicit,
nd-router-advert, nd-router-solicit, packet-too-big,
parameter-problem, time-exceeded } accept comment "Permit required ICMPv6 types without rate limit"
ip6 nexthdr icmpv6 icmpv6 type { echo-reply, echo-request } limit rate 250/second accept comment "Rate limit IPv4 echo (ping)"
ip6 nexthdr icmpv6 limit rate 30/minute burst 5 packets counter log flags all prefix "IN - Prohibited ICMPv6: " comment "Log all other ICMPv6 types"
ip6 nexthdr icmpv6 drop comment "Drop all other ICMPv6 types"
# Permit and rate limit required ICMPv4 types
ip protocol icmp icmp type { destination-unreachable, source-quench, time-exceeded, parameter-problem,
redirect } accept comment "Permit required ICMPv4 types without rate limit"
ip protocol icmp icmp code 3 accept comment "Permit ICMPv4 code 3 (TTL exceeded)"
ip protocol icmp icmp type { echo-reply, echo-request } limit rate 250/second accept comment "Rate limit IPv4 echo (ping)"
ip protocol icmp limit rate 30/minute burst 5 packets counter log flags all prefix "IN - Prohibited ICMPv4: " comment "Log all other ICMPv4 types"
ip protocol icmp drop comment "Drop all other ICMPv4 types"
# Permit and rate limit traceroute
udp dport 33434-33524 limit rate 50/second accept comment "Rate limit traceroute"
# Log any unmatched traffic; unmatched traffic will be dropped by default policy
limit rate 30/minute burst 5 packets counter log prefix "IN - Default: "
}
# Set default output policy to accept
chain output {
type filter hook output priority 0; policy accept
}
}