1 PATH=/sbin:/bin:/usr/sbin:/usr/bin
6 # Allow everything from this host
7 nft add rule ip filter input saddr $MYIP counter accept
10 nft add rule ip filter input daddr $MYIP proto icmp counter accept
13 nft add rule ip filter input daddr $MYIP dport 1024- proto tcp tcp flags & syn != syn counter accept
14 nft add rule ip filter input daddr $MYIP dport 1024- proto udp counter accept
18 # Allow everything from localhost
19 nft add rule ip filter input saddr 127.0.0.1 counter accept
21 # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
22 nft add rule ip filter input dport 2049 proto tcp counter drop
23 nft add rule ip filter input dport 2049 proto udp counter drop
24 nft add rule ip filter input dport 6000-6063 proto tcp counter drop
25 nft add rule ip filter input dport 6000-6063 proto udp counter drop
27 # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
28 nft add rule ip filter input dport 22 proto tcp counter accept
29 nft add rule ip filter input dport 25 proto tcp counter accept
30 nft add rule ip filter input dport 53 proto tcp counter accept
31 nft add rule ip filter input dport 53 proto udp counter accept
32 nft add rule ip filter input sport 53 dport 1024- proto udp counter accept
33 nft add rule ip filter input dport 80 proto tcp counter accept
34 nft add rule ip filter input dport 113 proto tcp counter accept
35 nft add rule ip filter input dport 123 proto tcp counter accept
36 nft add rule ip filter input dport 123 proto udp counter accept
37 nft add rule ip filter input dport 137-139 proto tcp counter accept
38 nft add rule ip filter input dport 137-139 proto udp counter accept
39 nft add rule ip filter input dport 443 proto tcp counter accept
40 nft add rule ip filter input dport 445 proto tcp counter accept
41 nft add rule ip filter input dport 1194 proto udp counter accept
42 nft add rule ip filter input dport 9418 proto tcp counter accept
45 nft add rule ip filter input dport 20 proto tcp counter accept
46 nft add rule ip filter input dport 21 proto tcp counter accept
47 # Allow ftp-data for active connections
48 #nft add rule ip filter input sport 20 dport 1024- proto tcp counter accept
50 # Track FTP connections to allow active and passive mode FTP
51 nft add rule ip filter input sport 20 proto tcp ct mstate state state state established,related counter accept
52 nft add rule ip filter input dport 20 proto tcp ct mstate state state state established,related counter accept
53 nft add rule ip filter input sport 21 proto tcp ct mstate state state state new,established counter accept
54 nft add rule ip filter input dport 21 proto tcp ct mstate state state state established,related counter accept
55 nft add rule ip filter input sport 1024-65535 proto tcp ct mstate state state state established,related counter accept
56 nft add rule ip filter input dport 1024-65535 proto tcp ct mstate state state state established,related counter accept
58 MY_IP=$(ip --oneline -4 address show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
59 for ip in $MY_IP; do my_ip "$ip"; done