Initial Config

1. Disable firewalld and enable nftables:
   1. systemctl disable --now firewalld
   2. systemctl mask firewalld
   3. nft flush ruleset
   4. systemctl enable --now nftables
2. Create a new inet table called "filter":
   nft add table inet filter
3. Create a chain called "INPUT" (in the filter table):
   nft add chain inet filter INPUT { type filter hook input priority 0 \; policy accept\; }
   • defines type: filter, hook: input, priority: 0 (highest)
4. Create a new rule allowing localhost traffic (in the INPUT chain):
   nft add rule inet filter INPUT iif lo accept
5. Create a new rule allowing established connections (in the INPUT chain):
   nft add rule inet filter INPUT ct state established,related accept
6. Create a new rule allowing 80/tcp and 22/tcp (in the INPUT chain):
   nft add rule inet filter INPUT tcp dport {80, 22} accept
   • Obviously this is optional and dependent on what you're trying to accomplish.
7. Create a new rule to count and drop all other traffic (in the INPUT chain):
   nft add rule inet filter INPUT counter drop
   • Probably a good idea to add this last (at the bottom of the chain):
   • or, better yet... log and drop traffic:
     nft add rule inet filter INPUT log prefix \"Dropped\: \" flags all counter drop comment \"default drop all\"