From 0b9a0382f8f1497c7b426014066df58854f85f34 Mon Sep 17 00:00:00 2001
From: cadupuy <charlesantoine.dupuy@gmail.com>
Date: Tue, 30 Jan 2024 21:52:30 +0100
Subject: [PATCH] reorder nftables rules for remote access preservation

---
 how-to-configure-hardened-debian-server/README.md | 6 ++++--
 how-to-configure-hardened-raspberry-pi/README.md  | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/how-to-configure-hardened-debian-server/README.md b/how-to-configure-hardened-debian-server/README.md
index c4ed9f0..d6b78bd 100644
--- a/how-to-configure-hardened-debian-server/README.md
+++ b/how-to-configure-hardened-debian-server/README.md
@@ -205,17 +205,19 @@ systemctl start nftables
 ```shell
 nft flush ruleset
 nft add table ip firewall
-nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
+nft add chain ip firewall input { type filter hook input priority 0 \; }
 nft add rule ip firewall input iif lo accept
 nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop
 nft add rule ip firewall input tcp dport ssh accept
 nft add rule ip firewall input ct state established,related accept
+nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
 nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; }
-nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
+nft add chain ip firewall output { type filter hook output priority 0 \; }
 nft add rule ip firewall output oif lo accept
 nft add rule ip firewall output tcp dport { http, https } accept
 nft add rule ip firewall output udp dport { domain, ntp } accept
 nft add rule ip firewall output ct state established,related accept
+nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
 ```
 
 If network is IPv4-only, run:
diff --git a/how-to-configure-hardened-raspberry-pi/README.md b/how-to-configure-hardened-raspberry-pi/README.md
index b3033f6..d5209d8 100644
--- a/how-to-configure-hardened-raspberry-pi/README.md
+++ b/how-to-configure-hardened-raspberry-pi/README.md
@@ -302,17 +302,19 @@ systemctl start nftables
 ```shell
 nft flush ruleset
 nft add table ip firewall
-nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
+nft add chain ip firewall input { type filter hook input priority 0 \; }
 nft add rule ip firewall input iif lo accept
 nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop
 nft add rule ip firewall input tcp dport ssh accept
 nft add rule ip firewall input ct state established,related accept
+nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
 nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; }
-nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
+nft add chain ip firewall output { type filter hook output priority 0 \; }
 nft add rule ip firewall output oif lo accept
 nft add rule ip firewall output tcp dport { http, https } accept
 nft add rule ip firewall output udp dport { domain, ntp } accept
 nft add rule ip firewall output ct state established,related accept
+nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
 ```
 
 If network is IPv4-only, run: