OVH Community

Welcome to your community space. Ask questions, search for information, post content, and interact with other OVH Community members.

Nftables good pratices


#1

Dears,

I am new to Dedicated Servers / VPS and I whish to do things the right way.
Googling around gave me the very basics of nftables (I am running Debian Buster) but I cannot find out typical rules that should always be applied.

Do you have any general advice that could/should be applied in all cases? The OVH documentation lacks of such good pratices and rules of thumb.

As a first guess, I would reject any incoming request; except on ports I use (SSH, or web server).
Is this a good practice?

Here is short illustration of what I would like to do. Feedbacks are welcome :slight_smile:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0;
		
		# Accept localhost trafic
		iif lo accept
		
		# Accept localhost in-/out- connections
		ct state { new, established, related, untracked } accept
		
		# Accept IPv6 neighbour discovery
		ip6 nexthdr icmpv6
		icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
		
		# Accept TCP traffic over SSH
		tcp dport XXXXX accept
		
		# Accept TCP trafic for SMTP
		#tcp dport 25 accepts

		# Reject any other connections
		counter drop
	}
	chain forward {
		type filter hook forward priority 0;
	}
	chain output {
		type filter hook output priority 0;
	}
}

I thank you to share your experience. This is highly valuable :slight_smile:
KR,
Seb