一个工作站的简单规则集

fw.basic

table ip filter {
    chain input {
        type filter hook input priority 0;

        # accept traffic originated from us
        ct state established,related accept

        # accept any localhost traffic
        iif lo accept

        # count and drop any other traffic
        counter drop
    }
}

fw6.basic

table ip6 filter {
    chain input {
        type filter hook input priority 0;

        # accept any localhost traffic
        iif lo accept

        # accept traffic originated from us
        ct state established,related accept

        # accept neighbour discovery otherwise connectivity breaks
        icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

        # count and drop any other traffic
        counter drop
    }
}

fw.inet.basic

inet 从 Linux 内核 3.14 版本之后可用，它允许你创建 IPv4 和 IPv6 表。跟以前的规则集相比唯一的变换是 inet` 关键字。

table inet filter {
    chain input {
        type filter hook input priority 0;

        # accept any localhost traffic
        iif lo accept

        # accept traffic originated from us
        ct state established,related accept

        # accept neighbour discovery otherwise connectivity breaks. daddr filter is a workaround to set l3 protocol.
        ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

         # count and drop any other traffic
         counter drop
    }
}