Nftables : Enable Service2021/10/05 |
|
This is the Basic Operation of Nftables.
|
|
| [1] | On RHEL 8 / CentOS Stream 8, nftables is used ad the default Firewalld backend. |
|
[root@dlp ~]# grep nftables /etc/firewalld/firewalld.conf # - nftables (default) FirewallBackend=nftables |
| [2] | If you use nftables directly, disable firewalld service to avoid that the different firewall services influence each other. Furthermore, enable nftables.service that restores filtering ruleset when system restarts. |
|
[root@dlp ~]# systemctl disable --now firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.[root@dlp ~]# systemctl enable --now nftables Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service. # [nftables.service] restores ruleset from [/etc/sysconfig/nftables.conf] [root@dlp ~]# systemctl cat nftables.service # /usr/lib/systemd/system/nftables.service [Unit] Description=Netfilter Tables Documentation=man:nft(8) Wants=network-pre.target Before=network-pre.target [Service] Type=oneshot ProtectSystem=full ProtectHome=true ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' ExecStop=/sbin/nft flush ruleset RemainAfterExit=yes [Install] WantedBy=multi-user.target # [/etc/sysconfig/nftables.conf] has no setting by default [root@dlp ~]# cat /etc/sysconfig/nftables.conf # Uncomment the include statement here to load the default config sample # in /etc/nftables for nftables service. #include "/etc/nftables/main.nft" # To customize, either edit the samples in /etc/nftables, append further # commands to the end of this file or overwrite it after first service # start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'. |
| [3] | If you switch to nftables service with using the ruleset configured on Firewalld, configure like follows. |
|
# confirm Firewalld rules ( based on that firewalld is running ) [root@dlp ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: # confirm current ruleset of nftables as the Firewalld backend [root@dlp ~]# nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
.....
.....
# output the current ruleset to [/etc/sysconfig/nftables.conf] [root@dlp ~]# nft list ruleset > /etc/sysconfig/nftables.conf
# disable firewalld service & enable nftables service [root@dlp ~]# systemctl disable --now firewalld [root@dlp ~]# systemctl enable --now nftables
# confirm ruleset [root@dlp ~]# nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
.....
.....
# for example, it's possible to show settings of allowed services [services: cockpit dhcpv6-client ssh] on [firewalld] like follows [root@dlp ~]# nft list chain inet firewalld filter_IN_public_allow
table inet firewalld {
chain filter_IN_public_allow {
tcp dport 22 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 9090 ct state { new, untracked } accept
}
}
|
| Sponsored Link |