nftables-workstation.nft: perform stateful filtering after the static rules

author Antonio Ospite <ao2@ao2.it>

Thu, 26 Apr 2018 15:40:34 +0000 (17:40 +0200)

committer Antonio Ospite <ao2@ao2.it>

Thu, 26 Apr 2018 15:40:34 +0000 (17:40 +0200)
author Antonio Ospite <ao2@ao2.it>
Thu, 26 Apr 2018 15:40:34 +0000 (17:40 +0200)
committer Antonio Ospite <ao2@ao2.it>
Thu, 26 Apr 2018 15:40:34 +0000 (17:40 +0200)
diff --git a/nftables-workstation.nft b/nftables-workstation.nft

index ecfb200..c227df2 100644 (file)
--- a/nftables-workstation.nft
+++ b/nftables-workstation.nft
@@ -42,10 +42,6 @@ table inet filter {
          type filter hook input priority 0
          policy drop
  
          type filter hook input priority 0
          policy drop
  
-        ct state established,related accept
-        ct state invalid drop
-        ct state new jump in-new
-
          iif lo accept
  
          ip protocol icmp icmp type {
          iif lo accept
  
          ip protocol icmp icmp type {
@@ -92,6 +88,11 @@ table inet filter {
          # Allow IGMPv3 queries.
          ip protocol igmp ip daddr 224.0.0.1 accept
  
          # Allow IGMPv3 queries.
          ip protocol igmp ip daddr 224.0.0.1 accept
  
+        # Stateful filtering for anything else.
+        ct state established,related accept
+        ct state invalid drop
+        ct state new jump in-new
+
          # Silently drop other incoming broadcast and multicast traffic.
          meta pkttype {broadcast, multicast} drop
  
          # Silently drop other incoming broadcast and multicast traffic.
          meta pkttype {broadcast, multicast} drop
author	Antonio Ospite <ao2@ao2.it>
	Thu, 26 Apr 2018 15:40:34 +0000 (17:40 +0200)
committer	Antonio Ospite <ao2@ao2.it>
	Thu, 26 Apr 2018 15:40:34 +0000 (17:40 +0200)