nftables-workstation.nft: perform stateful filtering after the static rules

[config/nftables.git] / nftables-workstation.nft

diff --git a/nftables-workstation.nft b/nftables-workstation.nft
index 7261291..c227df2 100644 (file)
--- a/nftables-workstation.nft
+++ b/nftables-workstation.nft
@@ -40,10 +40,7 @@ table inet filter {
 
     chain input {
         type filter hook input priority 0
-
-        ct state established,related accept
-        ct state invalid drop
-        ct state new jump in-new
+        policy drop
 
         iif lo accept
 
@@ -91,6 +88,11 @@ table inet filter {
         # Allow IGMPv3 queries.
         ip protocol igmp ip daddr 224.0.0.1 accept
 
+        # Stateful filtering for anything else.
+        ct state established,related accept
+        ct state invalid drop
+        ct state new jump in-new
+
         # Silently drop other incoming broadcast and multicast traffic.
         meta pkttype {broadcast, multicast} drop
 
@@ -124,12 +126,16 @@ table inet filter {
 
     chain forward {
         type filter hook forward priority 0
+        policy drop
+
         limit rate 3/minute burst 10 packets log prefix "[FORWARD]: "
         counter reject
     }
 
     chain output {
         type filter hook output priority 0
+        policy drop
+
         counter accept
     }
 }