1 PATH=/sbin:/bin:/usr/sbin:/usr/bin
6 # Allow everything from this host
7 nft add rule ip filter input ip saddr $MYIP accept
10 nft add rule ip filter input ip daddr $MYIP accept
13 nft add rule ip filter input ip daddr $MYIP tcp dport 1024-65535 tcp flags \& syn != syn accept
14 nft add rule ip filter input ip daddr $MYIP udp dport 1024-65535 accept
18 # Allow everything from localhost
19 nft add rule ip filter input ip saddr 127.0.0.1 accept
21 # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
22 nft add rule ip filter input tcp dport 2049 drop
23 nft add rule ip filter input udp dport 2049 drop
24 nft add rule ip filter input tcp dport 6000-6063 drop
25 nft add rule ip filter input udp dport 6000-6063 drop
27 # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
28 nft add rule ip filter input tcp dport 22 accept
29 nft add rule ip filter input tcp dport 25 accept
30 nft add rule ip filter input tcp dport 53 accept
31 nft add rule ip filter input udp dport 53 accept
32 nft add rule ip filter input udp sport 53 udp dport 1024-65535 accept
33 nft add rule ip filter input tcp dport 80 accept
34 nft add rule ip filter input tcp dport 113 accept
35 nft add rule ip filter input tcp dport 123 accept
36 nft add rule ip filter input udp dport 123 accept
37 nft add rule ip filter input tcp dport 137-139 accept
38 nft add rule ip filter input udp dport 137-139 accept
39 nft add rule ip filter input tcp dport 443 accept
40 nft add rule ip filter input tcp dport 445 accept
41 nft add rule ip filter input udp dport 1194 accept
42 nft add rule ip filter input tcp dport 9418 accept
45 nft add rule ip filter input tcp dport 20 accept
46 nft add rule ip filter input tcp dport 21 accept
47 # Allow ftp-data for active connections
48 #nft add rule ip filter input tcp sport 20 tcp dport 1024-65535 accept
50 # Track FTP connections to allow active and passive mode FTP
51 nft add rule ip filter input tcp sport 20 ct state established,related accept
52 nft add rule ip filter input tcp dport 20 ct state established,related accept
53 nft add rule ip filter input tcp sport 21 ct state new,established accept
54 nft add rule ip filter input tcp dport 21 ct state established,related accept
55 nft add rule ip filter input tcp sport 1024-65535 ct state established,related accept
56 nft add rule ip filter input tcp dport 1024-65535 ct state established,related accept
58 MY_IP=$(ip --oneline -4 address show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
59 for ip in $MY_IP; do my_ip "$ip"; done