NFTables - Revision history

Busk at 18:26, 25 April 2020

2020-04-25T18:26:24Z

Busk at 16:14, 26 March 2020

2020-03-26T16:14:32Z

Busk at 23:47, 5 September 2019

2019-09-05T23:47:13Z

Busk at 23:22, 5 September 2019

2019-09-05T23:22:38Z

imported>Jeremy-busk at 23:20, 20 May 2019

2019-05-20T23:20:25Z

New page

# Common commands

```
sudo nft list ruleset # you can direct this to /etc/nftables.conf as a simple way of backing up current rules.
sudo nft list tables
sudo nft list table <table-name>
sudo nft add rule nat prerouting iif bond0 ip daddr 23.228.169.145/32 dnat 10.64.40.11
sudo nft list table nat -a
sudo nft delete rule nat prerouting handle <numeric id>
systemctl restart nftables
```

# NAT

https://wiki.nftables.org/wiki-nftables/index.php/Multiple_NATs_using_nftables_maps

# More Reading

## Why Use Netfilter NFTables?

It's better! Read https://wiki.debian.org/nftables

## More Reading

* https://wiki.archlinux.org/index.php/nftable
* https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
* https://wiki.gentoo.org/wiki/Nftables/Examples
* https://wiki.gentoo.org/wiki/Nftables#systemd_configuration
* https://netfilter.org/projects/nftables/
* https://wiki.nftables.org/wiki-nftables/index.php/Classic_perimetral_firewall_example
* https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_connection_tracking_metainformation

## Examples Using NFTables on Workstation

The inet table is available from Linux kernel 3.14 and allow to use a dual-stack IPv4/IPv6 table.

ref: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_workstation

apt-get remove iptables first and reboot (to get rid of iptables)

### Ultra simple nftables.conf for local firewall using NFTables (for those of you used to using iptables)
```conf
table inet filter {
chain input {
type filter hook input priority 0;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise connectivity breaks
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

# count and drop any other traffic
counter drop
}
}
```

# More Examples

```
nft add rule ip6 filter input tcp dport {telnet, http, https} accept

nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
```

← Older revision		Revision as of 18:26, 25 April 2020
Line 1:		Line 1:
		+	# Quick HowTos
		+	- https://www.theurbanpenguin.com/using-nftables-in-centos-8/
		+
	# Basic Architecture		# Basic Architecture
	- https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks		- https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks

← Older revision		Revision as of 16:14, 26 March 2020
Line 1:		Line 1:
		+	# Basic Architecture
		+	- https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
		+
	# Common commands		# Common commands

← Older revision		Revision as of 23:47, 5 September 2019
Line 72:		Line 72:
	# Proxy		# Proxy
	- https://github.com/torvalds/linux/blob/master/Documentation/networking/tproxy.txt		- https://github.com/torvalds/linux/blob/master/Documentation/networking/tproxy.txt
		+
		+
		+	# More
		+
		+	- https://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/?extIdCarryOver=true&sc_cid=701f2000001OH7TAAW
		+	- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking

← Older revision		Revision as of 23:22, 5 September 2019
Line 69:		Line 69:
	nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept		nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
	```		```
		+
		+	# Proxy
		+	- https://github.com/torvalds/linux/blob/master/Documentation/networking/tproxy.txt