#!/usr/sbin/nft -f # From https://wiki.gbe0.com/en/linux/firewalling-and-filtering/nftables/template-inbound-outbound ## Clear/flush all existing rules flush ruleset # Main inet family filtering table table inet filter { # Rules for forwarded traffic chain forward { type filter hook forward priority 0; policy drop # 允許 Docker 容器網路轉發 # 允許從 Docker 網橋到任何地方的轉發 iifname "docker0" counter accept comment "允許來自 Docker 的轉發流量" iifname "br-*" counter accept comment "允許來自 Docker 網橋的轉發流量" # 允許已建立連接的回應流量 oifname { "docker0", "br-*" } ct state established,related counter accept comment "允許返回 Docker 的回應流量" meta l4proto { tcp, udp } th dport 53 counter accept comment "允許 DNS 查詢轉發" ## Log any unmatched traffic but rate limit logging to a maximum of 60 messages/minute ## The default policy will be applied to unmatched traffic limit rate 60/minute burst 100 packets \ log prefix "Forward - Drop: " \ comment "Log any unmatched traffic" ## Count the unmatched traffic counter \ comment "Count any unmatched traffic" } # Rules for input traffic chain input { type filter hook input priority 0; policy drop ## Permit inbound traffic to loopback interface iif lo \ accept \ comment "Permit all traffic in from loopback interface" # 允許來自 Docker 網路的連接 iifname { "docker0", "br-*" } counter accept comment "允許來自 Docker 網路的流量" ## Permit established and related connections ct state established,related \ counter \ accept \ comment "Permit established/related connections" ## Log and drop new TCP non-SYN packets tcp flags !

繼續閱讀

https://wiki.gbe0.com/en/linux/firewalling-and-filtering/nftables/template-inbound-outbound #!/usr/sbin/nft -f ## Clear/flush all existing rules flush ruleset # Main inet family filtering table table inet filter { # Rules for forwarded traffic chain forward { type filter hook forward priority 0; policy drop ## Log any unmatched traffic but rate limit logging to a maximum of 60 messages/minute ## The default policy will be applied to unmatched traffic limit rate 60/minute burst 100 packets \ log prefix "Forward - Drop: " \ comment "Log any unmatched traffic" ## Count the unmatched traffic counter \ comment "Count any unmatched traffic" } # Rules for input traffic chain input { type filter hook input priority 0; policy drop ## Permit inbound traffic to loopback interface iif lo \ accept \ comment "Permit all traffic in from loopback interface" ## Permit established and related connections ct state established,related \ counter \ accept \ comment "Permit established/related connections" ## Log and drop new TCP non-SYN packets tcp flags !

繼續閱讀