Nftables: Difference between revisions
(Created page with "=Initial Config= # Disable firewalld and enable nftables: ## <code>systemctl disable --now firewalld</code> ## <code>systemctl mask firewalld</code> ## <code>nft flush ruleset</code> ## <code>systemctl enable --now nftables</code> # Create a new inet table called "filter":<br/><code>nft add table inet filter</code> # Create a chain called "INPUT" (in the filter table):<br/><code>nft add chain inet filter INPUT { type filter hook input priority 0 \; policy accept\; }</co...") |
(No difference)
|
Revision as of 01:45, 18 November 2023
Initial Config
- Disable firewalld and enable nftables:
systemctl disable --now firewalldsystemctl mask firewalldnft flush rulesetsystemctl enable --now nftables
- Create a new inet table called "filter":
nft add table inet filter - Create a chain called "INPUT" (in the filter table):
nft add chain inet filter INPUT { type filter hook input priority 0 \; policy accept\; }- defines type: filter, hook: input, priority: 0 (highest)
- Create a new rule allowing localhost traffic (in the INPUT chain):
nft add rule inet filter INPUT iif lo accept - Create a new rule allowing established connections (in the INPUT chain):
nft add rule inet filter INPUT ct state established,related accept - Create a new rule allowing 80/tcp and 22/tcp (in the INPUT chain):
nft add rule inet filter INPUT tcp dport {80, 22} accept- Obviously this is optional and dependent on what you're trying to accomplish.
- Create a new rule to count and drop all other traffic (in the INPUT chain):
nft add rule inet filter INPUT counter drop- Probably a good idea to add this last (at the bottom of the chain):
- or, better yet... log and drop traffic:
nft add rule inet filter INPUT log prefix \"Dropped\: \" flags all counter drop comment \"default drop all\"