Nftables: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 21: | Zeile 21: | ||
=A rule to check that all is fine (IPv4)= | =A rule to check that all is fine (IPv4)= | ||
*nft add rule inet filter input counter accept | *nft add rule inet filter input counter accept | ||
| − | + | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
=Example Script= | =Example Script= | ||
| Zeile 97: | Zeile 82: | ||
</pre> | </pre> | ||
| + | =List that table= | ||
| + | *nft list table inet filter | ||
| + | <pre> | ||
| + | table inet filter { | ||
| + | chain input { | ||
| + | type filter hook input priority 0; policy accept; | ||
| + | counter packets 47 bytes 3100 accept | ||
| + | } | ||
| + | } | ||
| + | </pre> | ||
| + | =Flush rules in chain filter/input= | ||
| + | *nft flush chain inet filter input | ||
| + | =Delete the chain filter/input= | ||
| + | *nft delete chain inet filter input | ||
| + | =Delete the table filter= | ||
| + | *nft delete table inet filter | ||
=Links= | =Links= | ||
*https://wiki.nftables.org/wiki-nftables/index.php/Main_Page | *https://wiki.nftables.org/wiki-nftables/index.php/Main_Page | ||
Version vom 17. November 2019, 20:24 Uhr
Install
- apt-get install nftables
Create a basic IPv4 table
- nft add table inet filter
List that table
- nft list table inet filter
table inet filter {
}
Create a chain for input,output,forward traffic IPv4
- nft add chain inet filter input { type filter hook input priority 0\; }
- nft add chain inet filter output { type filter hook output priority 0\; }
- nft add chain inet filter forward { type filter hook forward priority 0\; }
Conntracking for input,output,forward
- nft add rule filter input ct state established,related counter accept
- nft add rule filter output ct state established,related counter accept
- nft add rule filter forward ct state established,related counter accept
loopback interface traffic is ok
- nft add rule filter input iifname "lo" counter accept
- nft add rule filter output oifname "lo" counter accept
A rule to check that all is fine (IPv4)
- nft add rule inet filter input counter accept
Example Script
#!/usr/sbin/nft -f
#variable declration
define tcp_lan_input_ports = { 8472, 53 }
define tcp_all_input_ports = { 80, 443 }
define udp_lan_input_ports = { 53 }
define tcp_for_input_ports = { 53 }
define udp_for_input_ports = { 53 }
# table declaration
#
add table filter
add table nat
flush table filter
flush table nat
table filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related counter packets 97 bytes 6640 accept
iifname "lo" counter accept
iifname "ens19" tcp dport $tcp_lan_input_ports counter accept
tcp dport $tcp_all_input_ports counter accept
udp dport $udp_lan_input_ports counter accept
log prefix "nft-input "
}
chain output {
type filter hook output priority 0; policy drop;
ct state established,related counter accept
counter accept
log prefix "nft-output "
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state established,related counter accept
iifname "ens19" oifname "ens19" counter accept
iifname "ens19" oifname "ens18" tcp dport $tcp_for_input_ports counter accept
iifname "ens19" oifname "ens18" udp dport $udp_for_input_ports counter accept
iifname "ens19" oifname "ens18" icmp type echo-request counter accept
log prefix "nft-forward "
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 0;
ip saddr 10.83.33.0/24 oif ens18 snat 10.84.252.33
}
}
1,1 Top
List that table
- nft list table inet filter
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
counter packets 47 bytes 3100 accept
}
}
Flush rules in chain filter/input
- nft flush chain inet filter input
Delete the chain filter/input
- nft delete chain inet filter input
Delete the table filter
- nft delete table inet filter