Nftables: Difference between revisions

From Dave-Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
Line 1: Line 1:
=Initial Config=
==Initial Config==


# Disable firewalld and enable nftables:
# Disable firewalld and enable nftables:
Line 17: Line 17:
#* or, better yet... '''log''' and drop traffic:<br/><code>nft add rule inet filter INPUT log prefix \"Dropped\: \" flags all counter drop comment \"default drop all\"</code>
#* or, better yet... '''log''' and drop traffic:<br/><code>nft add rule inet filter INPUT log prefix \"Dropped\: \" flags all counter drop comment \"default drop all\"</code>


=Other Commands=
==Other Commands==


====List filter table (of type inet), with line/position (handle) numbers====
====List filter table (of type inet), with line/position (handle) numbers====
Line 45: Line 45:
====Save rules (make changes persistent)====
====Save rules (make changes persistent)====
<code>nft list ruleset > /etc/sysconfig/nftables.conf</code>
<code>nft list ruleset > /etc/sysconfig/nftables.conf</code>
==Other==
====Disable Console Logging====
Edit the file /etc/sysctl.conf Add the following line:
kernel.printk = 4 1 1 7
The above changes will be effective at reboot or immediately using the following command:
/sbin/sysctl -p /etc/sysctl.conf
You can check the current setting with:
cat /proc/sys/kernel/printk

Latest revision as of 12:14, 15 October 2024

Initial Config

  1. Disable firewalld and enable nftables:
    1. systemctl disable --now firewalld
    2. systemctl mask firewalld
    3. nft flush ruleset
    4. systemctl enable --now nftables
  2. Create a new inet table called "filter":
    nft add table inet filter
  3. Create a chain called "INPUT" (in the filter table):
    nft add chain inet filter INPUT { type filter hook input priority 0 \; policy accept\; }
    • defines type: filter, hook: input, priority: 0 (highest)
  4. Create a new rule allowing localhost traffic (in the INPUT chain):
    nft add rule inet filter INPUT iif lo accept
  5. Create a new rule allowing established connections (in the INPUT chain):
    nft add rule inet filter INPUT ct state established,related accept
  6. Create a new rule allowing 80/tcp and 22/tcp (in the INPUT chain):
    nft add rule inet filter INPUT tcp dport {80, 22} accept
    • Obviously this is optional and dependent on what you're trying to accomplish.
  7. Create a new rule to count and drop all other traffic (in the INPUT chain):
    nft add rule inet filter INPUT counter drop
    • Probably a good idea to add this last (at the bottom of the chain):
    • or, better yet... log and drop traffic:
      nft add rule inet filter INPUT log prefix \"Dropped\: \" flags all counter drop comment \"default drop all\"

Other Commands

List filter table (of type inet), with line/position (handle) numbers

nft -a list table inet filter

Add new rule at a given position

(inserts before handle 6)

nft insert rule inet filter INPUT position 6 ip saddr 10.144.91.0/24 udp dport 1812 accept

(inserts after handle 7)

nft add rule inet filter INPUT position 7 ip saddr 10.144.91.0/24 udp dport 1813 accept

Delete rule at a given position

nft delete rule inet filter INPUT handle 5

List all rules

nft list ruleset

Export all rules to a file

nft list ruleset > <file>

Import rules from a file

nft -f <file>

Save rules (make changes persistent)

nft list ruleset > /etc/sysconfig/nftables.conf

Other

Disable Console Logging

Edit the file /etc/sysctl.conf Add the following line:

kernel.printk = 4 1 1 7

The above changes will be effective at reboot or immediately using the following command:

/sbin/sysctl -p /etc/sysctl.conf

You can check the current setting with:

cat /proc/sys/kernel/printk