networking.nftables.tables

Tables to be added to ruleset. Tables will be added together with delete statements to clean up the table before every update.

Type

attribute set of (submodule)

Default

{ }

Example

{
  filter = {
    content = ''
      # Check out https://wiki.nftables.org/ for better documentation.
      # Table for both IPv4 and IPv6.
      # Block all incoming connections traffic except SSH and "ping".
      chain input {
        type filter hook input priority 0;
      
        # accept any localhost traffic
        iifname lo accept
      
        # accept traffic originated from us
        ct state {established, related} accept
      
        # ICMP
        # routers may also want: mld-listener-query, nd-router-solicit
        ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
        ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
      
        # allow "ping"
        ip6 nexthdr icmpv6 icmpv6 type echo-request accept
        ip protocol icmp icmp type echo-request accept
      
        # accept SSH connections (required for a server)
        tcp dport 22 accept
      
        # count and drop any other traffic
        counter drop
      }
      
      # Allow all outgoing connections.
      chain output {
        type filter hook output priority 0;
        accept
      }
      
      chain forward {
        type filter hook forward priority 0;
        accept
      }
    '';
    family = "inet";
  };
}

Declared

<nixpkgs/nixos/modules/services/networking/nftables.nix>