{{tag>[linux nftables]}}
=====nftables - a mild autistic ruleset=====
The netfilter.org "nftables" project: [[https://netfilter.org/projects/nftables/]]

====The ruleset====
These rules disable most inter-LAN connectivity. The host wil talk to the gateway, DNS, NTP and DHCP servers. Other nodes might pick up broadcast traffic, but will not be able to communicate with this endpoint.

  * Create a file with MAC addresses you want to be able to communicate with. Or dynamically generate it at boot (''/dev/shm/maclist'').<code>
####################### 
# Firewall inet
#######################

# Flush ruleset and create chains for inet
nft flush ruleset
nft add table inet filter
nft add chain inet filter INPUT   { type filter hook input   priority 0 \; policy drop \; }
nft add chain inet filter OUTPUT  { type filter hook output  priority 0 \; policy accept \; }
nft add chain inet filter FORWARD { type filter hook forward priority 0 \; policy drop \; }

# Accept established, drop invalid
nft add rule inet filter INPUT ct state {established, related} accept
nft add rule inet filter INPUT ct state invalid drop
nft add rule inet filter INPUT iifname lo accept

# Disable all IPv4 ICMP and drop IPv6 ping
nft add rule inet filter INPUT ip protocol icmp drop
nft add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type echo-request drop

# Allow IPv6 configuration
nft add rule inet filter INPUT ip6 nexthdr icmpv6  icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept


####################### 
# Firewall ARP
#######################

# Create chains with same naming convention as arptables.
nft add table arp filter
nft add chain arp filter INPUT   { type filter hook input   priority 0 \; }
nft add chain arp filter OUTPUT  { type filter hook output  priority 0 \; }
nft add chain arp filter FORWARD { type filter hook forward priority 0 \; }

# Allow requests from addresses in the defined neighbour list.
while read line
do
  nft add rule arp filter INPUT arp operation  request ether saddr $line counter accept
done <<< $(</dev/shm/maclist)

# Allow incoming reply's.
nft add rule arp filter INPUT arp operation  reply counter accept

# Log incoming dropped ARP packages.
nft add rule arp filter INPUT   log prefix \"INPUT   FILTER ARP: \"

# Default drop. 
nft chain arp filter INPUT { policy drop \; }
nft chain arp filter FORWARD { policy drop \; }
</code>
  * Show current ruleset:<code># nft list ruleset
table inet filter {
        chain INPUT {
                type filter hook input priority 0; policy drop;
                ct state { established, related} accept
                ct state invalid drop
                iifname "lo" accept
                ip protocol icmp drop
                icmpv6 type echo-request drop
                icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept
        }

        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 0; policy drop;
        }
}
table arp filter {
        chain INPUT {
                type filter hook input priority 0; policy drop;
                arp operation request ether saddr aa:bb:cc:dd:ee:f0 counter packets 3544 bytes 163024 accept
                arp operation request ether saddr aa:bb:cc:dd:ee:f1 counter packets 10 bytes 460 accept
                arp operation request ether saddr aa:bb:cc:dd:ee:f2 counter packets 322 bytes 14812 accept
                arp operation reply counter packets 3120 bytes 143520 accept
                log prefix "INPUT FILTER ARP: "
        }

        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 0; policy drop;
        }
}
</code>