{
"nftables": [
{
"metainfo": {
"version": "1.0.9",
"release_name": "Old Doc Yak #3",
"json_schema_version": 1
}
},
{
"table": {
"family": "ip",
"name": "filter",
"handle": 1
}
},
{
"chain": {
"family": "ip",
"table": "filter",
"name": "input",
"handle": 1,
"type": "filter",
"hook": "input",
"prio": 0,
"policy": "drop"
}
},
{
"chain": {
"family": "ip",
"table": "filter",
"name": "forward",
"handle": 2,
"type": "filter",
"hook": "forward",
"prio": 0,
"policy": "drop"
}
},
{
"chain": {
"family": "ip",
"table": "filter",
"name": "output",
"handle": 3,
"type": "filter",
"hook": "output",
"prio": 0,
"policy": "accept"
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "input",
"handle": 4,
"comment": "early drop of invalid packets",
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": "invalid"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "input",
"handle": 6,
"comment": "accept all connections related to connections made by us",
"expr": [
{
"match": {
"op": "==",
"left": {
"ct": {
"key": "state"
}
},
"right": {
"set": [
"established",
"related"
]
}
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "input",
"handle": 7,
"comment": "accept loopback",
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iif"
}
},
"right": "lo"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "input",
"handle": 8,
"comment": "drop connections to loopback not coming from loopback",
"expr": [
{
"match": {
"op": "!=",
"left": {
"meta": {
"key": "iif"
}
},
"right": "lo"
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip",
"field": "daddr"
}
},
"right": {
"prefix": {
"addr": "127.0.0.0",
"len": 8
}
}
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "input",
"handle": 9,
"comment": "accept all ICMP types",
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip",
"field": "protocol"
}
},
"right": "icmp"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "input",
"handle": 10,
"comment": "accept SSH",
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "tcp",
"field": "dport"
}
},
"right": 22
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "input",
"handle": 11,
"comment": "count dropped packets",
"expr": [
{
"counter": {
"packets": 0,
"bytes": 0
}
}
]
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "forward",
"handle": 12,
"comment": "count dropped packets",
"expr": [
{
"counter": {
"packets": 0,
"bytes": 0
}
}
]
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "output",
"handle": 13,
"comment": "count accepted packets",
"expr": [
{
"counter": {
"packets": 0,
"bytes": 0
}
}
]
}
},
{
"table": {
"family": "ip6",
"name": "filter",
"handle": 2
}
},
{
"chain": {
"family": "ip6",
"table": "filter",
"name": "input",
"handle": 1,
"type": "filter",
"hook": "input",
"prio": 0,
"policy": "drop"
}
},
{
"chain": {
"family": "ip6",
"table": "filter",
"name": "forward",
"handle": 2,
"type": "filter",
"hook": "forward",
"prio": 0,
"policy": "drop"
}
},
{
"chain": {
"family": "ip6",
"table": "filter",
"name": "output",
"handle": 3,
"type": "filter",
"hook": "output",
"prio": 0,
"policy": "accept"
}
},
{
"rule": {
"family": "ip6",
"table": "filter",
"chain": "input",
"handle": 4,
"comment": "early drop of invalid packets",
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": "invalid"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "filter",
"chain": "input",
"handle": 6,
"comment": "accept all connections related to connections made by us",
"expr": [
{
"match": {
"op": "==",
"left": {
"ct": {
"key": "state"
}
},
"right": {
"set": [
"established",
"related"
]
}
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "filter",
"chain": "input",
"handle": 7,
"comment": "accept loopback",
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iif"
}
},
"right": "lo"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "filter",
"chain": "input",
"handle": 8,
"comment": "drop connections to loopback not coming from loopback",
"expr": [
{
"match": {
"op": "!=",
"left": {
"meta": {
"key": "iif"
}
},
"right": "lo"
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "daddr"
}
},
"right": "::1"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "filter",
"chain": "input",
"handle": 9,
"comment": "accept all ICMP types",
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "nexthdr"
}
},
"right": "ipv6-icmp"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "filter",
"chain": "input",
"handle": 10,
"comment": "accept SSH",
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "tcp",
"field": "dport"
}
},
"right": 22
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "filter",
"chain": "input",
"handle": 11,
"comment": "count dropped packets",
"expr": [
{
"counter": {
"packets": 0,
"bytes": 0
}
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "filter",
"chain": "forward",
"handle": 12,
"comment": "count dropped packets",
"expr": [
{
"counter": {
"packets": 0,
"bytes": 0
}
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "filter",
"chain": "output",
"handle": 13,
"comment": "count accepted packets",
"expr": [
{
"counter": {
"packets": 0,
"bytes": 0
}
}
]
}
}
]
}