Code: Select all
cp /usr/share/doc/nftables/examples/workstation.nft /etc/nftables.conf
Code: Select all
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
iif "lo" accept
ct state established,related accept
ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
counter packets 67 bytes 9081 drop
}
}
table ip filter {
chain ufw-logging-deny {
ct state invalid limit rate 3/minute burst 10 packets counter packets 0 bytes 0 return
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
}
chain ufw-logging-allow {
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW ALLOW] "
}
chain ufw-skip-to-policy-input {
counter packets 0 bytes 0 drop
}
chain ufw-skip-to-policy-output {
counter packets 0 bytes 0 accept
}
chain ufw-skip-to-policy-forward {
counter packets 0 bytes 0 drop
}
chain ufw-before-input {
iifname "lo" counter packets 0 bytes 0 accept
ct state related,established counter packets 0 bytes 0 accept
ct state invalid counter packets 0 bytes 0 jump ufw-logging-deny
ct state invalid counter packets 0 bytes 0 drop
meta l4proto icmp icmp type destination-unreachable counter packets 0 bytes 0 accept
meta l4proto icmp icmp type time-exceeded counter packets 0 bytes 0 accept
meta l4proto icmp icmp type parameter-problem counter packets 0 bytes 0 accept
meta l4proto icmp icmp type echo-request counter packets 0 bytes 0 accept
meta l4proto udp udp sport 67 udp dport 68 counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw-not-local
meta l4proto udp ip daddr 224.0.0.251 udp dport 5353 counter packets 0 bytes 0 accept
meta l4proto udp ip daddr 239.255.255.250 udp dport 1900 counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw-user-input
}
chain ufw-before-output {
oifname "lo" counter packets 0 bytes 0 accept
ct state related,established counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw-user-output
}
chain ufw-before-forward {
ct state related,established counter packets 0 bytes 0 accept
meta l4proto icmp icmp type destination-unreachable counter packets 0 bytes 0 accept
meta l4proto icmp icmp type time-exceeded counter packets 0 bytes 0 accept
meta l4proto icmp icmp type parameter-problem counter packets 0 bytes 0 accept
meta l4proto icmp icmp type echo-request counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw-user-forward
}
chain ufw-not-local {
fib daddr type local counter packets 0 bytes 0 return
fib daddr type multicast counter packets 0 bytes 0 return
fib daddr type broadcast counter packets 0 bytes 0 return
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 jump ufw-logging-deny
counter packets 0 bytes 0 drop
}
chain ufw-after-input {
meta l4proto udp udp dport 137 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
meta l4proto udp udp dport 138 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
meta l4proto tcp tcp dport 139 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
meta l4proto tcp tcp dport 445 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
meta l4proto udp udp dport 67 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
meta l4proto udp udp dport 68 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
fib daddr type broadcast counter packets 0 bytes 0 jump ufw-skip-to-policy-input
}
chain ufw-after-output {
}
chain ufw-after-forward {
}
chain ufw-user-input {
}
chain ufw-user-output {
}
chain ufw-user-forward {
}
chain ufw-user-logging-input {
}
chain ufw-user-logging-output {
}
chain ufw-user-logging-forward {
}
chain ufw-user-limit {
limit rate 3/minute counter packets 0 bytes 0 log prefix "[UFW LIMIT BLOCK] "
counter packets 0 bytes 0 reject
}
chain ufw-user-limit-accept {
counter packets 0 bytes 0 accept
}
chain ufw-before-logging-input {
}
chain ufw-before-logging-output {
}
chain ufw-before-logging-forward {
}
chain ufw-after-logging-input {
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
}
chain ufw-after-logging-output {
}
chain ufw-after-logging-forward {
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority filter; policy drop;
counter packets 44 bytes 4835 jump ufw6-before-logging-input
counter packets 44 bytes 4835 jump ufw6-before-input
counter packets 0 bytes 0 jump ufw6-after-input
counter packets 0 bytes 0 jump ufw6-after-logging-input
counter packets 0 bytes 0 jump ufw6-reject-input
counter packets 0 bytes 0 jump ufw6-track-input
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump ufw6-before-logging-forward
counter packets 0 bytes 0 jump ufw6-before-forward
counter packets 0 bytes 0 jump ufw6-after-forward
counter packets 0 bytes 0 jump ufw6-after-logging-forward
counter packets 0 bytes 0 jump ufw6-reject-forward
counter packets 0 bytes 0 jump ufw6-track-forward
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 42 bytes 4274 jump ufw6-before-logging-output
counter packets 42 bytes 4274 jump ufw6-before-output
counter packets 28 bytes 3122 jump ufw6-after-output
counter packets 28 bytes 3122 jump ufw6-after-logging-output
counter packets 28 bytes 3122 jump ufw6-reject-output
counter packets 28 bytes 3122 jump ufw6-track-output
}
chain ufw6-before-logging-input {
}
chain ufw6-before-logging-output {
}
chain ufw6-before-logging-forward {
}
chain ufw6-before-input {
iifname "lo" counter packets 2 bytes 152 accept
rt type 0 counter packets 0 bytes 0 drop
ct state related,established counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
ct state invalid counter packets 0 bytes 0 jump ufw6-logging-deny
ct state invalid counter packets 0 bytes 0 drop
meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 3 bytes 216 accept
meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 2 bytes 144 accept
meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 1 bytes 64 accept
meta l4proto ipv6-icmp icmpv6 type ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type ip6 hoplimit 1 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type ip6 hoplimit 1 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type ip6 hoplimit 1 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type counter packets 0 bytes 0 accept
meta l4proto udp ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 counter packets 6 bytes 672 accept
meta l4proto udp ip6 daddr ff02::fb udp dport 5353 counter packets 30 bytes 3587 accept
meta l4proto udp ip6 daddr ff02::f udp dport 1900 counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw6-user-input
}
chain ufw6-before-output {
oifname "lo" counter packets 2 bytes 152 accept
rt type 0 counter packets 0 bytes 0 drop
ct state related,established counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter packets 1 bytes 48 accept
meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 2 bytes 136 accept
meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 2 bytes 144 accept
meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type counter packets 7 bytes 672 accept
meta l4proto ipv6-icmp icmpv6 type ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type ip6 hoplimit 255 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type ip6 hoplimit 1 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type ip6 hoplimit 1 counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp ip6 saddr fe80::/10 icmpv6 type ip6 hoplimit 1 counter packets 0 bytes 0 accept
counter packets 28 bytes 3122 jump ufw6-user-output
}
chain ufw6-before-forward {
rt type 0 counter packets 0 bytes 0 drop
ct state related,established counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump ufw6-user-forward
}
chain ufw6-after-input {
meta l4proto udp udp dport 137 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
meta l4proto udp udp dport 138 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
meta l4proto tcp tcp dport 139 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
meta l4proto tcp tcp dport 445 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
meta l4proto udp udp dport 546 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
meta l4proto udp udp dport 547 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
}
chain ufw6-after-output {
}
chain ufw6-after-forward {
}
chain ufw6-after-logging-input {
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
}
chain ufw6-after-logging-output {
}
chain ufw6-after-logging-forward {
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
}
chain ufw6-reject-input {
}
chain ufw6-reject-output {
}
chain ufw6-reject-forward {
}
chain ufw6-track-input {
}
chain ufw6-track-output {
meta l4proto tcp ct state new counter packets 0 bytes 0 accept
meta l4proto udp ct state new counter packets 26 bytes 2930 accept
}
chain ufw6-track-forward {
}
chain ufw6-logging-deny {
ct state invalid limit rate 3/minute burst 10 packets counter packets 0 bytes 0 return
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
}
chain ufw6-logging-allow {
limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW ALLOW] "
}
chain ufw6-skip-to-policy-input {
counter packets 0 bytes 0 drop
}
chain ufw6-skip-to-policy-output {
counter packets 0 bytes 0 accept
}
chain ufw6-skip-to-policy-forward {
counter packets 0 bytes 0 drop
}
chain ufw6-user-input {
}
chain ufw6-user-output {
}
chain ufw6-user-forward {
}
chain ufw6-user-logging-input {
}
chain ufw6-user-logging-output {
}
chain ufw6-user-logging-forward {
}
chain ufw6-user-limit {
limit rate 3/minute counter packets 0 bytes 0 log prefix "[UFW LIMIT BLOCK] "
counter packets 0 bytes 0 reject
}
chain ufw6-user-limit-accept {
counter packets 0 bytes 0 accept
}
}
Code: Select all
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
iif "lo" accept
ct state established,related accept
ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
counter packets 24 bytes 3224 drop
}
}