Nftables: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(→Links) |
|||
Zeile 99: | Zeile 99: | ||
=Links= | =Links= | ||
*https://wiki.nftables.org/wiki-nftables/index.php/Main_Page | *https://wiki.nftables.org/wiki-nftables/index.php/Main_Page | ||
+ | *https://wiki.archlinux.org/index.php/nftables |
Version vom 11. November 2020, 19:16 Uhr
Install
- apt-get install nftables
Create a basic IPv4 table
- nft add table inet filter
List that table
- nft list table inet filter
table inet filter { }
Create a chain for input,output,forward traffic IPv4
- nft add chain inet filter input { type filter hook input priority 0\; }
- nft add chain inet filter output { type filter hook output priority 0\; }
- nft add chain inet filter forward { type filter hook forward priority 0\; }
Conntracking for input,output,forward
- nft add rule filter input ct state established,related counter accept
- nft add rule filter output ct state established,related counter accept
- nft add rule filter forward ct state established,related counter accept
loopback interface traffic is ok
- nft add rule filter input iifname "lo" counter accept
- nft add rule filter output oifname "lo" counter accept
A rule to check that ssh,http,https input is fine (IPv4)
- nft add rule filter input tcp dport 22 counter accept
- nft add rule filter input tcp dport 80 counter accept
- nft add rule filter input tcp dport 443 counter accept
A rule to check that output is fine (IPv4)
- nft add rule filter output counter accept
A rule to check that some forward is fine (IPv4)
- nft add rule filter forward iifname "ens19" oifname "ens18" tcp dport 22 counter accept
- nft add rule filter forward iifname "ens19" oifname "ens18" tcp dport 443 counter accept
Example Script
#!/usr/sbin/nft -f #variable declration define tcp_lan_input_ports = { 8472, 53 } define tcp_all_input_ports = { 80, 443 } define udp_lan_input_ports = { 53 } define tcp_for_input_ports = { 53 } define udp_for_input_ports = { 53 } # table declaration # add table filter add table nat flush table filter flush table nat table filter { chain input { type filter hook input priority 0; policy drop; ct state established,related counter packets 97 bytes 6640 accept iifname "lo" counter accept iifname "ens19" tcp dport $tcp_lan_input_ports counter accept tcp dport $tcp_all_input_ports counter accept udp dport $udp_lan_input_ports counter accept log prefix "nft-input " } chain output { type filter hook output priority 0; policy drop; ct state established,related counter accept counter accept log prefix "nft-output " } chain forward { type filter hook forward priority 0; policy drop; ct state established,related counter accept iifname "ens19" oifname "ens19" counter accept iifname "ens19" oifname "ens18" tcp dport $tcp_for_input_ports counter accept iifname "ens19" oifname "ens18" udp dport $udp_for_input_ports counter accept iifname "ens19" oifname "ens18" icmp type echo-request counter accept log prefix "nft-forward " } } table ip nat { chain prerouting { type nat hook prerouting priority 0; } chain postrouting { type nat hook postrouting priority 0; ip saddr 10.83.33.0/24 oif ens18 snat 10.84.252.33 } } 1,1 Top
List that table
- nft list table inet filter
Flush rules in chain filter/input
- nft flush chain inet filter input
Delete the chain filter/input
- nft delete chain inet filter input
Delete the table filter
- nft delete table inet filter