example-desktop.nft

#!/usr/sbin/nft -f

flush ruleset

## Note: You will probably have to change some of these IPs and rules
## to match your home network. For IPv6 I used a /32 instead of a /64
## because my IPv6 prefix is dynamic.

define HOME_IPV4 = {
  192.168.2.0/24
}

define HOME_IPV6 = {
  2001:5b0::/32
}

define PRIVATE_IPV4 = {
  10.0.0.0/8,
  192.168.0.0/16,
  172.16.0.0/12
}

define PRIVATE_IPV6 = {
  fe80::/10,
  fd00::/8
}

table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ct state invalid counter drop comment "early drop of invalid packets"
                ct state {established, related} counter accept comment "accept all connections related to connections made by us"
                meta l4proto icmp icmp type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"
                meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"
                iif lo accept comment "accept loopback"
                iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
                iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
                ip protocol icmp counter accept comment "accept all ICMP types"
                ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
                ip protocol igmp accept comment "Accept IGMP"
                udp dport 5353 accept comment "Accept mDNS"

                # SSH
                tcp dport 22 accept

                # SMB
                tcp dport {139,445} ip saddr {$HOME_IPV4} accept
                tcp dport {139,445} ip6 saddr {$HOME_IPV6} accept

                # NetBIOS
                udp dport {137,138} ip saddr {$HOME_IPV4} accept
                udp dport {137,138} ip6 saddr {$HOME_IPV6} accept

                # WSDD
                tcp dport 5357 accept
                udp dport 3702 accept
                
                # VNC
                tcp dport 5900 ip saddr {$HOME_IPV4} accept
        }

        chain forward {
                type filter hook forward priority 0; policy drop;             
        }
        
        chain output {
                type filter hook output priority 0; policy accept;
        }
}