networking.nftables.ruleset

The ruleset to be used with nftables. Should be in a format that can be loaded using "/bin/nft -f". The ruleset is updated atomically. Note that if the tables should be cleaned first, either:

networking.nftables.flushRuleset = true; needs to be set (flushes all tables)
networking.nftables.extraDeletions needs to be set
or networking.nftables.tables can be used, which will clean up the table automatically.

Declarations

nixos/modules/services/networking/nftables.nix

Type

strings concatenated with "\n"

Default

""

Example

''
  # Check out https://wiki.nftables.org/ for better documentation.
  # Table for both IPv4 and IPv6.
  table inet filter {
    # Block all incoming connections traffic except SSH and "ping".
    chain input {
      type filter hook input priority 0;
  
      # accept any localhost traffic
      iifname lo accept
  
      # accept traffic originated from us
      ct state {established, related} accept
  
      # ICMP
      # routers may also want: mld-listener-query, nd-router-solicit
      ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
      ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
  
      # allow "ping"
      ip6 nexthdr icmpv6 icmpv6 type echo-request accept
      ip protocol icmp icmp type echo-request accept
  
      # accept SSH connections (required for a server)
      tcp dport 22 accept
  
      # count and drop any other traffic
      counter drop
    }
  
    # Allow all outgoing connections.
    chain output {
      type filter hook output priority 0;
      accept
    }
  
    chain forward {
      type filter hook forward priority 0;
      accept
    }
  }
''