Nftables
Jump to navigation
Jump to search
Initial Config
- Disable firewalld and enable nftables:
systemctl disable --now firewalldsystemctl mask firewalldnft flush rulesetsystemctl enable --now nftables
- Create a new inet table called "filter":
nft add table inet filter - Create a chain called "INPUT" (in the filter table):
nft add chain inet filter INPUT { type filter hook input priority 0 \; policy accept\; }- defines type: filter, hook: input, priority: 0 (highest)
- Create a new rule allowing localhost traffic (in the INPUT chain):
nft add rule inet filter INPUT iif lo accept - Create a new rule allowing established connections (in the INPUT chain):
nft add rule inet filter INPUT ct state established,related accept - Create a new rule allowing 80/tcp and 22/tcp (in the INPUT chain):
nft add rule inet filter INPUT tcp dport {80, 22} accept- Obviously this is optional and dependent on what you're trying to accomplish.
- Create a new rule to count and drop all other traffic (in the INPUT chain):
nft add rule inet filter INPUT counter drop- Probably a good idea to add this last (at the bottom of the chain):
- or, better yet... log and drop traffic:
nft add rule inet filter INPUT log prefix \"Dropped\: \" flags all counter drop comment \"default drop all\"
Other Commands
List filter table (of type inet), with line/position (handle) numbers
nft -a list table inet filter
Add new rule at a given position
(inserts before handle 6)
nft insert rule inet filter INPUT position 6 ip saddr 10.144.91.0/24 udp dport 1812 accept
(inserts after handle 7)
nft add rule inet filter INPUT position 7 ip saddr 10.144.91.0/24 udp dport 1813 accept
Delete rule at a given position
nft delete rule inet filter INPUT handle 5
List all rules
nft list ruleset
Export all rules to a file
nft list ruleset > <file>
Import rules from a file
nft -f <file>
Save rules (make changes persistent)
nft list ruleset > /etc/sysconfig/nftables.conf