flush ruleset table inet firewall { chain inbound_ipv4 { # accepting ping (icmp-echo-request) for diagnostic purposes. # However, it also lets probes discover this host is alive. # This sample accepts them within a certain rate limit: # icmp type echo-request limit rate 5/second accept } chain inbound_ipv6 { # accept neighbour discovery otherwise connectivity breaks # icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept # accepting ping (icmpv6-echo-request) for diagnostic purposes. # However, it also lets probes discover this host is alive. # This sample accepts them within a certain rate limit: # icmpv6 type echo-request limit rate 5/second accept } chain inbound { # By default, drop all traffic unless it meets a filter # criteria specified by the rules that follow below. type filter hook input priority 0; policy drop; # Allow traffic from established and related packets, drop invalid ct state vmap { established : accept, related : accept, invalid : drop } {% if nftables_external_interfaces is defined %} {% for interface in ansible_interfaces %} {% if interface not in nftables_external_interfaces %} iifname {{ interface }} accept {% endif %} {% endfor %} {% endif %} # Jump to chain according to layer 3 protocol using a verdict map meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 } {% if nftables_tcp_in is defined %} tcp dport { {{ nftables_tcp_in |join(",") }} } accept {% endif %} {% if nftables_udp_in is defined %} udp dport { {{ nftables_udp_in |join(",") }} } accept {% endif %} # Uncomment to enable logging of denied inbound traffic # log prefix "[nftables] Inbound Denied: " counter drop } chain forward { # Drop everything (assumes this device is not a router) type filter hook forward priority 0; policy drop; } # no need to define output chain, default policy is accept if undefined. }