Nftables : Basic Operation2023/07/13 |
This is the Basic Operation of Nftables.
|
|||||||||||||||
[1] |
The multiple networking levels are abstracted into families on nftables architecture like follows.
|
[2] |
There is no filtering rule by default on nftables, so start with creating tables.
⇒ nft add table [family] [table name]
|
# show ruleset (no filtering rule by default) root@dlp:~# nft list ruleset table inet filter { chain input { type filter hook input priority filter; policy accept; } chain forward { type filter hook forward priority filter; policy accept; } chain output { type filter hook output priority filter; policy accept; } } # flush default rule above and add [firewall01] table in [inet] family root@dlp:~# nft flush ruleset root@dlp:~# nft add table inet firewall01 # show tables of [inet] family root@dlp:~# nft list tables inet table inet firewall01 # show ruleset root@dlp:~# nft list ruleset table inet firewall01 { } # to delete a table, run like follows root@dlp:~# nft delete table inet firewall01 |
[3] |
Next, add chains to tables.
⇒ nft add chain [family] [table name] [chain name] { type [type] hook [hook} priority [priority] \; }
Available [type]s and [hook]s are follows. For [priority], it is generall integer value and the smaller value is high priority.
|
# with [filter] type, [input] hook, [0] priority # add [filter_INPUT] chain to [firewall01] table in [inet] family root@dlp:~# nft add chain inet firewall01 filter_INPUT { type filter hook input priority 0 \;}
nft list ruleset table inet firewall01 { chain filter_INPUT { type filter hook input priority filter; policy accept; } } # to delete a chain, run like follows root@dlp:~# nft delete chain inet firewall01 filter_INPUT root@dlp:~# nft list ruleset table inet firewall01 { } |
[4] | After adding tables and chains, set rules to them. |
root@dlp:~# nft list ruleset table inet firewall01 { chain filter_INPUT { type filter hook input priority filter; policy accept; } } # for example, add a rule to allow packets that state connection is [related, established] root@dlp:~# nft add rule inet firewall01 filter_INPUT ct state related,established accept
nft list table inet firewall01 table inet firewall01 { chain filter_INPUT { type filter hook input priority filter; policy accept; ct state established,related accept } } # for example, add a rule to allow packets to loopback interface root@dlp:~# nft add rule inet firewall01 filter_INPUT iif lo accept
nft list table inet firewall01 table inet firewall01 { chain filter_INPUT { type filter hook input priority filter; policy accept; ct state established,related accept iif "lo" accept } } # for example, add a rule to drop packets except allowed packets above root@dlp:~# nft add rule inet firewall01 filter_INPUT drop
nft -a list table inet firewall01 table inet firewall01 { # handle 2 chain filter_INPUT { # handle 1 type filter hook input priority filter; policy accept; ct state established,related accept # handle 4 iif "lo" accept # handle 5 drop # handle 6 } } # for example, add a rule next to the line [handle 5] to allow packets to 22 port with [new, untracked] connection state root@dlp:~# nft add rule inet firewall01 filter_INPUT handle 5 tcp dport 22 ct state { new,untracked } accept
nft -a list table inet firewall01
table inet firewall01 { # handle 2 chain filter_INPUT { # handle 1 type filter hook input priority filter; policy accept; ct state established,related accept # handle 4 iif "lo" accept # handle 5 tcp dport 22 ct state { new, untracked } accept # handle 8 drop # handle 6 } } # for example, add a rule next to the line [handle 8] to allow packets that metadata is [icmp,ipv6-icmp] root@dlp:~# nft add rule inet firewall01 filter_INPUT handle 8 meta l4proto { icmp,ipv6-icmp } accept
nft -a list table inet firewall01 table inet firewall01 { # handle 2 chain filter_INPUT { # handle 1 type filter hook input priority filter; policy accept; ct state established,related accept # handle 4 iif "lo" accept # handle 5 tcp dport 22 ct state { new, untracked } accept # handle 8 meta l4proto { icmp, ipv6-icmp } accept # handle 10 drop # handle 6 } } # to delete a rule, specify the [handle] number of a line you'd like to delete and run the command below root@dlp:~# nft delete rule inet firewall01 filter_INPUT handle 8
nft -a list table inet firewall01 table inet firewall01 { # handle 2 chain filter_INPUT { # handle 1 type filter hook input priority filter; policy accept; ct state established,related accept # handle 4 iif "lo" accept # handle 5 meta l4proto { icmp, ipv6-icmp } accept # handle 10 drop # handle 6 } } |
Sponsored Link |