๐Ÿšง Firewall

If you wish, here is a basic example using nftables to protect your server.

Enable nftables

# systemctl enable nftables

Edit the file /etc/nftables.conf

# !/usr/sbin/nft -f

flush ruleset

# SERVER IPs
# Define the IPv4/6 address(es) of the server interface
define IPV4_SERV = { 200.200.200.200 } 
define IPV6_SERV = { 2001:db8:1::cafe } 

# Ports open to EVERYONE
define PORTS_ACCEP_PUB = { 0 } # Set the ports you want to leave open to the world

# Define the ports that will be restricted only to the lists 
# FULL_ACCESS4 and FULL_ACCESS6 (Don't forget to include the ports that will receive the flows e.g.: 3055, 3056, 3057)
define PORTS_ACCEP_ADM = { 5000, 3000, 22, 3055, 3056, 3057 } 

table inet filter {

    set FULL_ACCESS4 {
        type ipv4_addr
        flags interval
        elements = {
            127.0.0.0/8,
            192.168.0.0/24
        }
    }
    set FULL_ACCESS6 {
        type ipv6_addr
        flags interval
        elements = {
            ::1,
            aaaa:aaaa:aaaa::/48
        }
    }

    chain input {
        type filter hook input priority 0;

        # Accept ICMP only from permitted origins
        ip saddr @FULL_ACCESS4 ip protocol icmp icmp type echo-request accept
        ip6 nexthdr icmpv6 ip6 saddr @FULL_ACCESS6 icmpv6 type echo-request accept

        # ALLOW PUBLIC ACCESS PORTS
        ip  saddr 0.0.0.0/0 ip daddr { $IPV4_SERV } tcp dport { $PORTS_ACCEP_PUB } counter accept
        ip  saddr 0.0.0.0/0 ip daddr { $IPV4_SERV } udp dport { $PORTS_ACCEP_PUB } counter accept
        ip6 saddr ::/0 ip6 daddr { $IPV6_SERV } tcp dport { $PORTS_ACCEP_PUB } counter accept
        ip6 saddr ::/0 ip6 daddr { $IPV6_SERV } udp dport { $PORTS_ACCEP_PUB } counter accept

        # Allow access to ports on all IPs from permitted origins
        ip  saddr @FULL_ACCESS4 tcp dport { $PORTS_ACCEP_ADM } counter accept
        ip  saddr @FULL_ACCESS4 udp dport { $PORTS_ACCEP_ADM } counter accept
        ip6 saddr @FULL_ACCESS6 tcp dport { $PORTS_ACCEP_ADM } counter accept
        ip6 saddr @FULL_ACCESS6 udp dport { $PORTS_ACCEP_ADM } counter accept

        # Drop everything else
        ip  daddr { $IPV4_SERV } ct state related,established counter accept
        ip  daddr { $IPV4_SERV } counter drop
        ip6 daddr { $IPV6_SERV } ct state related,established counter accept
        ip6 daddr { $IPV6_SERV }  counter drop

        type filter hook input priority 0;
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

Restart nftables to load the configuration

# systemctl restart nftables