On sam., 2025-11-22 at 22:34 +0100, Michel Verdier wrote:
> Le 22 novembre 2025 jean-christophe Énée a écrit :
>
> > https://paste.debian.net/hidden/cbbcaee9/
> >
> > bonjour,
> > que faut-il modifier à ce script pour ouvrir le port http pour
> > nginx.
>
> Peut-être déjà le script directement dans ton mail au lieu d'un lien
> cassé :)
jean-christophe@blues-softwares:~$ cat /etc/nftables.conf
#!/usr/bin/nft -f
#
# Standalone / workstattion firewall
# A single network interface, with support of services such as ssh if
desired.
#
# After install use by:
# systemctl enable nftables
# systemctl start nftables
#
# Manual
# Use : nft -f /etc/nftables.conf
# Remove : nft flush ruleset
#
# Check :
# nft -c -f /etc/nftables.conf
#
# Install:
# - Change "iface" to use your own network interface (iface =
...)
#
# - Save default:
# mv /etc/nftables.conf /etc/nftables.conf.orig
#
# - Copy rules
# mkdir /etc/nftables.d
# rsync -a nftables.conf /etc/
# rsync -a etc/nftables.d/input-blocks /etc/nftables.d/
# systemctl restart nftables
#
# Make sure you turn off any older iptables
# systemctl stop iptables; systemctl disable iptables
# systemctl enable nftables
#
# - Adding new blocks:
# Add whatever CIDR blocks to the input-blocks file and restart
# systemctl restart nftables
#
# N.B. Sets are local to each table. i.e not shareable across tables
# See nftables documentation.
#
# Gene C 2023
#
#**************************************************
define iface = wlp2f0 # <=== change
#**************************************************
# start fresh
flush ruleset
table inet t_filter {
chain input {
#
# default policy is everything is dropped
#
type filter hook input priority 0; policy drop
#
# Drop invalid packets, allow established/related traffic
# Badly formed tcp flags
#
tcp flags & (fin|syn|rst|ack) != syn ct state new drop
ct state vmap { invalid : drop, established : accept, related :
accept }
#
# local traffic is ok
#
iif lo accept
#
# icmp
#
ip protocol icmp accept
meta l4proto ipv6-icmp accept
#
# If allow any services below - then add any blocks
#
#iifname $iface ip saddr @input-blocks drop
#
# services
# IP(s) cidrs to be allowed are defined at bottom of this file
#
# - ssh incoming:
# To enable other machines on network to 'ssh in'
# Add the IP(s) or cidr blocks to the set 'ssh_svc'
#
# - dns - if this machine provides dns to other machines
# Add cidr or ips to 'dns_svc' set
#
# - any other services you allow connections to (e.g.
webserver)
# Uncomment and add cidr/ips to the set 'other_svc'
#
iifname . meta l4proto . th dport @ssh_svc ct state new accept
iifname . meta l4proto . th dport @dns_svc ct state new accept
#iifname . meta l4proto . th dport @web_svc ct state new accept
#iifname . meta l4proto . th dport @other_svc ct state new
accept
#
# Disallow anything else inbound
#
ct state new drop
}
chain forward {
type filter hook forward priority 0; policy drop
}
chain output {
type filter hook output priority 0; policy accept
#
# Filtered Ports
# Ports in set 'filtered' prevented them leaving this
machine
# Uncomment to use - ports defined below
#
#oifname $iface meta l4proto { tcp, udp } th dport @closed
reject
}
#
# sets
#
set dns_svc {
typeof iifname . meta l4proto . th dport ;
elements = {
$iface . tcp . 53,
$iface . udp . 53 ,
}
}
set ssh_svc {
typeof iifname . meta l4proto . th dport ;
elements = {
$iface . tcp . 22,
}
}
set ssh_web {
typeof iifname . meta l4proto . th dport ;
elements = {
$iface . tcp . 80,
$iface . tcp . 443,
$iface . udp . 443, # QUIC http/3
}
}
#
# Other services -
#
#set other_svc {
# typeof iifname . meta l4proto . th dport ;
# elements = {
# $iface . tcp . xxx,
# $iface . udp . yyy,
# }
#}
set filtered {
type inet_service; flags interval ;
elements = {2049, 6000-6015, 135, 137-139, 445, 161-162, 69,
514, 67-68, 6660-6669 }
}
include "/etc/nftables.d/input-blocks"
}
jean-christophe@blues-softwares:~$
