diff --git a/defines.nft b/defines.nft index fba9f41..10cfc0d 100644 --- a/defines.nft +++ b/defines.nft @@ -1,3 +1,6 @@ +# services define SSH_PORT1 = 22 define SSH_PORT2 = 8022 - +define DNS_PORT = 53 +define DHCP_IN_PORT = 67 +define DHCP_OUT_PORT = 68 diff --git a/filter.nft b/filter.nft index b31ddb2..aa538ce 100644 --- a/filter.nft +++ b/filter.nft @@ -7,13 +7,27 @@ table ip filter { set allowed_tcp_ports { type inet_service; flags constant; - elements = { $SSH_PORT1, $SSH_PORT2 }; + elements = { $SSH_PORT1, $SSH_PORT2, $DNS_PORT }; } + + set allowed_udp_ports_in { + type inet_service; + flags constant; + elements = { $DNS_PORT, $DHCP_IN_PORT } + } + + set allowed_udp_ports_out { + type inet_service; + flags constant; + elements = { $DNS_PORT, $DHCP_OUT_PORT } + } + chain in { type filter hook input priority filter; policy drop; ct state invalid drop; ct state {related,established} accept; tcp dport @allowed_tcp_ports accept; + udp dport @allowed_udp_ports_in accept; } chain forward { type filter hook forward priority filter; policy drop; @@ -21,5 +35,6 @@ table ip filter { chain out { type filter hook output priority filter; policy drop; + udp dport @allowed_udp_ports_out accept; } }