Dears,
I am new to Dedicated Servers / VPS and I whish to do things the right way.
Googling around gave me the very basics of nftables (I am running Debian Buster) but I cannot find out typical rules that should always be applied.
Do you have any general advice that could/should be applied in all cases? The OVH documentation lacks of such good pratices and rules of thumb.
As a first guess, I would reject any incoming request; except on ports I use (SSH, or web server).
Is this a good practice?
Here is short illustration of what I would like to do. Feedbacks are welcome :slight_smile:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# Accept localhost trafic
iif lo accept
# Accept localhost in-/out- connections
ct state { new, established, related, untracked } accept
# Accept IPv6 neighbour discovery
ip6 nexthdr icmpv6
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
# Accept TCP traffic over SSH
tcp dport XXXXX accept
# Accept TCP trafic for SMTP
#tcp dport 25 accepts
# Reject any other connections
counter drop
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
I thank you to share your experience. This is highly valuable :slight_smile:
KR,
Seb
Nftables good pratices
Related questions
- Site-To-Site VPN on OVH
5148 
10.05.2018 18:48
- HTTP2 on IP Load Balancer
1913 06.02.2018 02:59
- SSL Error 503: Backend unavailable
1667 16.12.2019 19:09
- Create DNS for domain
1297 02.05.2018 13:50
- Network interfaces issue
1273 03.07.2018 05:09
- Load Balancer IP and vrack
1245 30.05.2018 17:14
- Multiple Backends with the Load Balancer
1202 27.06.2018 08:39
- How To Setup netgear wif extender
1201 09.03.2019 02:24
- IP Load Balancers hijacking letsencrypt/certbot /.well-known/acme-challenge/
1127 26.10.2018 02:43