diff --git a/filter.nft b/filter.nft index e123562..5a52ff4 100644 --- a/filter.nft +++ b/filter.nft @@ -1,11 +1,20 @@ #!/usr/bin/nft flush ruleset +define SSH_PORT1 = 22 +define SSH_PORT2 = 8022 + table ip filter { + set allowed_tcp_ports { + type inet_service; + flags constant; + elements = { $SSH_PORT1, $SSH_PORT2 }; + } chain in { type filter hook input priority filter; policy drop; ct state invalid drop; ct state {related,established} accept; + tcp dport @allowed_tcp_ports accept; } chain forward { type filter hook forward priority filter; policy drop;