diff options
| -rw-r--r-- | steel-nftables.conf | 12 | ||||
| -rw-r--r-- | steel.scm | 3 |
2 files changed, 15 insertions, 0 deletions
diff --git a/steel-nftables.conf b/steel-nftables.conf new file mode 100644 index 0000000..e5d379c --- /dev/null +++ b/steel-nftables.conf @@ -0,0 +1,12 @@ +table ip filter { + chain input { + # Drop all traffic by default. + type filter hook input priority 0; policy drop; + # Allow traffic from established connections. + ct state vmap { established: accept, related: accept, invalid: drop } + # Allow loopback traffic. + iifname lo accept + # Allow 8080 for occasional darkhttpd use. + tcp dport 8080 accept + } +} \ No newline at end of file diff --git a/steel.scm b/steel.scm index c37512c..601ee27 100644 --- a/steel.scm +++ b/steel.scm @@ -89,6 +89,9 @@ (program (file-append slock "/bin/slock")))) (service alsa-service-type) (service dhcpcd-service-type) + (service nftables-service-type + (nftables-configuration + (ruleset (local-file "steel-nftables.conf")))) (service dicod-service-type) (service ntp-service-type) (service pulseaudio-service-type) |