====== Firewall mit nft ======
Firewall Regel welche nur bestimmte MAC-Adressen zulässt:
<code>
table inet filter {
	chain INPUT {
		type filter hook input priority filter; policy drop;
		ct state { established, related } accept
		ct state invalid drop
		iifname "lo" accept
		ip protocol icmp drop
		icmpv6 type echo-request drop
		icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
		tcp dport 22 accept
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
	}
}
table arp filter {
	chain INPUT {
		type filter hook input priority filter; policy drop;
		arp operation request ether saddr 12:34:56:78:9a:bc accept
		arp operation request ether saddr bc:9a:78:56:34:12 accept
		arp operation reply accept
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}
}
</code>
<code>
nft list ruleset
nft flush ruleset
nft --check -f <ruleset-file>
nft -f <ruleset-file>

nft list rules
nft list tables
nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json]

systemctl status nftables.service
</code>

Ruleset automatisch beim Booten starten
<code>
vi /etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
...
</code>

===== Brute Force auf ssh erschweren =====

<code>
add rule ip filter INPUT tcp dport 22 ct state new counter jump SSHBFORCE

add chain ip filter SSHBFORCE

add set ip filter denylist { type ipv4_addr; flags dynamic, timeout; timeout 5m }
add rule ip filter SSHBFORCE ip protocol tcp ct state new, untracked limit rate over 3/minute add @denylist { ip saddr }
add rule ip filter SSHBFORCE ip saddr @denylist drop
</code>