Simple Stateful Firewall with nftables

Name: Daniel Gorbe - System Administrator, Ethical Hacker, Go Developer
Address: Városház tér 1, Győr, 9021, HU
Telephone: +36203323371
Price range: $

The nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames.

Configure a simple firewall for a basic webserver.

/etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table inet filter {

	chain inbound_ipv4 {
		icmp type echo-request limit rate 5/second accept
	}

	chain inbound_ipv6 {
		icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
		icmpv6 type echo-request limit rate 5/second accept
	}

	chain input {
		type filter hook input priority 0; policy drop;
		ct state { established, related } accept
		iifname lo accept
		meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
		tcp dport 22 accept
		tcp dport 80 accept
		tcp dport 443 accept
		reject
	}

	chain forward {
		type filter hook forward priority 0;
	}

	chain output {
		type filter hook output priority 0;
	}
}