Nftables

Aus xinux.net
Zur Navigation springen Zur Suche springen

Install

  • apt-get install nftables

Create a basic IPv4 table

  • nft add table inet filter

List that table

  • nft list table inet filter
table inet filter {
}

Create a chain for input traffic IPv4

  • nft add chain inet filter input { type filter hook input priority 0\; }

A rule to check that all is fine (IPv4)

  • nft add rule inet filter input counter accept

List that table

  • nft list table inet filter
table inet filter {
	chain input {
		type filter hook input priority 0; policy accept;
		counter packets 47 bytes 3100 accept
	}
}

Flush rules in chain filter/input

  • nft flush chain inet filter input

Delete the chain filter/input

  • nft delete chain inet filter input

Delete the table filter

  • nft delete table inet filter

Example Script

#!/usr/sbin/nft -f
#variable declaration 
define tcp_lan_input_ports = { 8472, 53 }
define tcp_all_input_ports = { 80, 443 }
define udp_lan_input_ports = { 53 }
define tcp_for_input_ports = { 53 }
define udp_for_input_ports = {  53 }

# table declaration
add table filter
add table nat
flush chain filter input
flush chain filter output
flush chain filter forward
table filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ct state established,related counter packets 97 bytes 6640 accept
                iifname "lo" counter accept
                iifname "ens19" tcp dport $tcp_lan_input_ports counter accept
                tcp dport $tcp_all_input_ports  counter accept
                udp dport $udp_lan_input_ports  counter accept
                log prefix "nft-input "
        }

        chain output {
                type filter hook output priority 0; policy drop;
                ct state established,related counter accept
                counter accept
                log prefix "nft-output "
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
                ct state established,related counter accept
                iifname "ens19" oifname "ens19" counter accept
                iifname "ens19" oifname "ens18" tcp dport $tcp_for_input_ports counter accept
                iifname "ens19" oifname "ens18" udp dport $udp_for_input_ports counter accept
                iifname "ens19" oifname "ens18" icmp type echo-request counter accept
                log prefix "nft-forward "
        }
}
Abgerufen von „https://xinux.net/index.php?title=Nftables&oldid=18839