On Fri, Jan 12, 2024 at 03:52:46PM +0000, Tom Furie wrote:
> other input/output rules that are interfering, but since you've abridged
> your ruleset we have no way of knowing.
Sorry, wanted to include the full rulest an forgot. I've still have left
off the "table ip nat" and "table ip filter" chains, I hope this is OK.
#!/usr/sbin/nft -f
flush ruleset
table ip nat {
...
}
table ip filter {
...
}
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid
packets"
ct state {established, related} counter accept comment "accept
all connections related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop
connections to loopback not coming from loopback"
meta l4proto ipv6-icmp counter accept comment "accept all ICMP
types"
tcp dport 22 counter accept comment "accept SSH"
tcp dport 25 counter accept comment "accept SMTP"
tcp dport 53 counter accept comment "accept DNS"
udp dport 53 counter accept comment "accept DNS"
tcp dport 80 counter accept comment "accept HTTP"
tcp dport 443 counter accept comment "accept HTTPS"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
iifname ppp0 oifname en0 ct state established,related accept
iifname en0 oifname ppp0 accept
iifname en2 oifname ppp0 accept
iifname ppp0 oifname en2 accept
iifname en0 oifname en2 accept
iifname en2 oifname en0 ct state established,related accept
meta l4proto ipv6-icmp accept
}
}
