Nftables: Difference between revisions

From Dave-Wiki
No edit summary
 
(One intermediate revision by the same user not shown)
Line 50: Line 50:
====Disable Console Logging====
====Disable Console Logging====


Edit the file /etc/sysctl.conf Add the following line:
  echo 'kernel.printk = 4 4 1 7' | sudo tee /etc/sysctl.d/99-printk.conf > /dev/null
 
  sudo sysctl --system
  kernel.printk = 4 1 1 7
 
The above changes will be effective at reboot or immediately using the following command:
 
/sbin/sysctl -p /etc/sysctl.conf
 
You can check the current setting with:
 
  cat /proc/sys/kernel/printk

Latest revision as of 22:03, 24 April 2026

Initial Config

  1. Disable firewalld and enable nftables:
    1. systemctl disable --now firewalld
    2. systemctl mask firewalld
    3. nft flush ruleset
    4. systemctl enable --now nftables
  2. Create a new inet table called "filter":
    nft add table inet filter
  3. Create a chain called "INPUT" (in the filter table):
    nft add chain inet filter INPUT { type filter hook input priority 0 \; policy accept\; }
    • defines type: filter, hook: input, priority: 0 (highest)
  4. Create a new rule allowing localhost traffic (in the INPUT chain):
    nft add rule inet filter INPUT iif lo accept
  5. Create a new rule allowing established connections (in the INPUT chain):
    nft add rule inet filter INPUT ct state established,related accept
  6. Create a new rule allowing 80/tcp and 22/tcp (in the INPUT chain):
    nft add rule inet filter INPUT tcp dport {80, 22} accept
    • Obviously this is optional and dependent on what you're trying to accomplish.
  7. Create a new rule to count and drop all other traffic (in the INPUT chain):
    nft add rule inet filter INPUT counter drop
    • Probably a good idea to add this last (at the bottom of the chain):
    • or, better yet... log and drop traffic:
      nft add rule inet filter INPUT log prefix \"Dropped\: \" flags all counter drop comment \"default drop all\"

Other Commands

List filter table (of type inet), with line/position (handle) numbers

nft -a list table inet filter

Add new rule at a given position

(inserts before handle 6)

nft insert rule inet filter INPUT position 6 ip saddr 10.144.91.0/24 udp dport 1812 accept

(inserts after handle 7)

nft add rule inet filter INPUT position 7 ip saddr 10.144.91.0/24 udp dport 1813 accept

Delete rule at a given position

nft delete rule inet filter INPUT handle 5

List all rules

nft list ruleset

Export all rules to a file

nft list ruleset > <file>

Import rules from a file

nft -f <file>

Save rules (make changes persistent)

nft list ruleset > /etc/sysconfig/nftables.conf

Other

Disable Console Logging

echo 'kernel.printk = 4 4 1 7' | sudo tee /etc/sysctl.d/99-printk.conf > /dev/null
sudo sysctl --system
Retrieved from "https://davehome.net/wiki/index.php?title=Nftables&oldid=869"