Nftables: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
=Initial Config= | ==Initial Config== | ||
# Disable firewalld and enable nftables: | # Disable firewalld and enable nftables: | ||
Line 17: | Line 17: | ||
#* or, better yet... '''log''' and drop traffic:<br/><code>nft add rule inet filter INPUT log prefix \"Dropped\: \" flags all counter drop comment \"default drop all\"</code> | #* or, better yet... '''log''' and drop traffic:<br/><code>nft add rule inet filter INPUT log prefix \"Dropped\: \" flags all counter drop comment \"default drop all\"</code> | ||
=Other Commands= | ==Other Commands== | ||
====List filter table (of type inet), with line/position (handle) numbers==== | ====List filter table (of type inet), with line/position (handle) numbers==== | ||
Line 45: | Line 45: | ||
====Save rules (make changes persistent)==== | ====Save rules (make changes persistent)==== | ||
<code>nft list ruleset > /etc/sysconfig/nftables.conf</code> | <code>nft list ruleset > /etc/sysconfig/nftables.conf</code> | ||
==Other== | |||
====Disable Console Logging==== | |||
Edit the file /etc/sysctl.conf Add the following line: | |||
kernel.printk = 4 1 1 7 | |||
The above changes will be effective at reboot or immediately using the following command: | |||
/sbin/sysctl -p /etc/sysctl.conf | |||
You can check the current setting with: | |||
cat /proc/sys/kernel/printk |
Latest revision as of 12:14, 15 October 2024
Initial Config
- Disable firewalld and enable nftables:
systemctl disable --now firewalld
systemctl mask firewalld
nft flush ruleset
systemctl enable --now nftables
- Create a new inet table called "filter":
nft add table inet filter
- Create a chain called "INPUT" (in the filter table):
nft add chain inet filter INPUT { type filter hook input priority 0 \; policy accept\; }
- defines type: filter, hook: input, priority: 0 (highest)
- Create a new rule allowing localhost traffic (in the INPUT chain):
nft add rule inet filter INPUT iif lo accept
- Create a new rule allowing established connections (in the INPUT chain):
nft add rule inet filter INPUT ct state established,related accept
- Create a new rule allowing 80/tcp and 22/tcp (in the INPUT chain):
nft add rule inet filter INPUT tcp dport {80, 22} accept
- Obviously this is optional and dependent on what you're trying to accomplish.
- Create a new rule to count and drop all other traffic (in the INPUT chain):
nft add rule inet filter INPUT counter drop
- Probably a good idea to add this last (at the bottom of the chain):
- or, better yet... log and drop traffic:
nft add rule inet filter INPUT log prefix \"Dropped\: \" flags all counter drop comment \"default drop all\"
Other Commands
List filter table (of type inet), with line/position (handle) numbers
nft -a list table inet filter
Add new rule at a given position
(inserts before handle 6)
nft insert rule inet filter INPUT position 6 ip saddr 10.144.91.0/24 udp dport 1812 accept
(inserts after handle 7)
nft add rule inet filter INPUT position 7 ip saddr 10.144.91.0/24 udp dport 1813 accept
Delete rule at a given position
nft delete rule inet filter INPUT handle 5
List all rules
nft list ruleset
Export all rules to a file
nft list ruleset > <file>
Import rules from a file
nft -f <file>
Save rules (make changes persistent)
nft list ruleset > /etc/sysconfig/nftables.conf
Other
Disable Console Logging
Edit the file /etc/sysctl.conf Add the following line:
kernel.printk = 4 1 1 7
The above changes will be effective at reboot or immediately using the following command:
/sbin/sysctl -p /etc/sysctl.conf
You can check the current setting with:
cat /proc/sys/kernel/printk