Nftables: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Zeile 27: | Zeile 27: | ||
=Delete the table filter= | =Delete the table filter= | ||
*nft delete table inet filter | *nft delete table inet filter | ||
+ | |||
+ | =Example Script= | ||
+ | <pre> | ||
+ | #!/usr/sbin/nft -f | ||
+ | #variable declaration | ||
+ | define tcp_lan_input_ports = { 8472, 53 } | ||
+ | define tcp_all_input_ports = { 80, 443 } | ||
+ | define udp_lan_input_ports = { 53 } | ||
+ | define tcp_for_input_ports = { 53 } | ||
+ | define udp_for_input_ports = { 53 } | ||
+ | |||
+ | # table declaration | ||
+ | add table filter | ||
+ | add table nat | ||
+ | flush chain filter input | ||
+ | flush chain filter output | ||
+ | flush chain filter forward | ||
+ | table filter { | ||
+ | chain input { | ||
+ | type filter hook input priority 0; policy drop; | ||
+ | ct state established,related counter packets 97 bytes 6640 accept | ||
+ | iifname "lo" counter accept | ||
+ | iifname "ens19" tcp dport $tcp_lan_input_ports counter accept | ||
+ | tcp dport $tcp_all_input_ports counter accept | ||
+ | udp dport $udp_lan_input_ports counter accept | ||
+ | log prefix "nft-input " | ||
+ | } | ||
+ | |||
+ | chain output { | ||
+ | type filter hook output priority 0; policy drop; | ||
+ | ct state established,related counter accept | ||
+ | counter accept | ||
+ | log prefix "nft-output " | ||
+ | } | ||
+ | |||
+ | chain forward { | ||
+ | type filter hook forward priority 0; policy drop; | ||
+ | ct state established,related counter accept | ||
+ | iifname "ens19" oifname "ens19" counter accept | ||
+ | iifname "ens19" oifname "ens18" tcp dport $tcp_for_input_ports counter accept | ||
+ | iifname "ens19" oifname "ens18" udp dport $udp_for_input_ports counter accept | ||
+ | iifname "ens19" oifname "ens18" icmp type echo-request counter accept | ||
+ | log prefix "nft-forward " | ||
+ | } | ||
+ | } | ||
+ | </pre> |
Version vom 12. November 2019, 15:24 Uhr
Install
- apt-get install nftables
Create a basic IPv4 table
- nft add table inet filter
List that table
- nft list table inet filter
table inet filter { }
Create a chain for input traffic IPv4
- nft add chain inet filter input { type filter hook input priority 0\; }
A rule to check that all is fine (IPv4)
- nft add rule inet filter input counter accept
List that table
- nft list table inet filter
table inet filter { chain input { type filter hook input priority 0; policy accept; counter packets 47 bytes 3100 accept } }
Flush rules in chain filter/input
- nft flush chain inet filter input
Delete the chain filter/input
- nft delete chain inet filter input
Delete the table filter
- nft delete table inet filter
Example Script
#!/usr/sbin/nft -f #variable declaration define tcp_lan_input_ports = { 8472, 53 } define tcp_all_input_ports = { 80, 443 } define udp_lan_input_ports = { 53 } define tcp_for_input_ports = { 53 } define udp_for_input_ports = { 53 } # table declaration add table filter add table nat flush chain filter input flush chain filter output flush chain filter forward table filter { chain input { type filter hook input priority 0; policy drop; ct state established,related counter packets 97 bytes 6640 accept iifname "lo" counter accept iifname "ens19" tcp dport $tcp_lan_input_ports counter accept tcp dport $tcp_all_input_ports counter accept udp dport $udp_lan_input_ports counter accept log prefix "nft-input " } chain output { type filter hook output priority 0; policy drop; ct state established,related counter accept counter accept log prefix "nft-output " } chain forward { type filter hook forward priority 0; policy drop; ct state established,related counter accept iifname "ens19" oifname "ens19" counter accept iifname "ens19" oifname "ens18" tcp dport $tcp_for_input_ports counter accept iifname "ens19" oifname "ens18" udp dport $udp_for_input_ports counter accept iifname "ens19" oifname "ens18" icmp type echo-request counter accept log prefix "nft-forward " } }