linux ファイアウォールが『iptables』から『nftables』に代わりました。
という事で新しくファイアウォールを作る必要があります。以下に簡易
ファイルスクリプトを記載しておきます。使い方は『nft.sh』とした上で
『chmod +x ./nft.sh』で実行権限を付与。『su』or『sudo』で実行して
ください。『Debian buster 』で確認済み
#!/usr/sbin/nft -f
# This script need privilege.
# "su" or "sudo" needs to run.
flush ruleset
add table inet filter
add chain inet filter input {type filter hook input priority 0;policy drop;}
add chain inet filter forward {type filter hook input priority 0;policy drop;}
add chain inet filter output {type filter hook input priority 0;policy accept;}
# Local host accept
add rule inet filter input iif lo accept
# Multicast drop
add rule inet filter input meta pkttype {broadcast ,multicast} drop
# Fragment drop
add rule inet filter input ip frag-off & 0x1fff != 0 counter drop
add rule inet filter input ip6 nexthdr ipv6-frag drop
# IP spoofing drop
add rule inet filter input ip saddr 10.0.0.0/8 counter drop
add rule inet filter input ip saddr 172.16.0.0/12 counter drop
add rule inet filter input ip saddr 169.254.0.0/16 counter drop
add rule inet filter input ip saddr 192.0.2.0/24 counter drop
add rule inet filter input ip daddr 255.255.255.255 counter drop
# ICMPv6 accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 10/minute accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type destination-unreachable accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type packet-too-big accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type time-exceeded accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type parameter-problem accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type nd-router-advert accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type nd-neighbor-solicit accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type nd-neighbor-advert accept
# ICMPv4 accept
add rule inet filter input ip protocol icmp icmp type echo-request limit rate 10/minute accept
add rule inet filter input ip protocol icmp icmp type destination-unreachable accept
add rule inet filter input ip protocol icmp icmp type router-advertisement accept
add rule inet filter input ip protocol icmp icmp type time-exceeded accept
add rule inet filter input ip protocol icmp icmp type parameter-problem accept
# SSH accept.if you want to use next header "#" remove it.
#add rule inet filter input tcp dport ssh limit rate 10/minute accept
# Established connections
add rule inet filter input ct state established,related accept
add rule inet filter input ct state invalid drop
