Difference between revisions of "Nft"
Jump to navigation
Jump to search
(Created page with "netfilter Cheat Sheet Nate HuffnagleApril 08, 2020 17:12 Syntax nft list tables nft list chains nft add <table|chain|rule> ... nft list <table|chain|rule> ... nft flush...") |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | ``` | ||
| + | sudo nft list ruleset | ||
| + | |||
netfilter Cheat Sheet | netfilter Cheat Sheet | ||
Nate HuffnagleApril 08, 2020 17:12 | Nate HuffnagleApril 08, 2020 17:12 | ||
| Line 41: | Line 44: | ||
/etc/nftables/sio-firewall.nft | /etc/nftables/sio-firewall.nft | ||
/etc/sysconfig/nftables.conf include "/etc/nftables/sio-firewall.nft" | /etc/sysconfig/nftables.conf include "/etc/nftables/sio-firewall.nft" | ||
| + | ``` | ||
Latest revision as of 18:18, 19 July 2022
sudo nft list ruleset
netfilter Cheat Sheet
Nate HuffnagleApril 08, 2020 17:12
Syntax
nft list tables
nft list chains
nft add <table|chain|rule> ...
nft list <table|chain|rule> ...
nft flush <table|chain|rule> ...
nft delete <table|chain|rule> ...
List rules with numbers
nft list ruleset -a
Check rules for syntax errors
nft --check -f /etc/nftables/sio-firewall.nft
Simple Example
Create new table and chain:
nft add table inet table1
nft create chain inet table1 { type filter hook input priority 0\; }
nft add rule inet table1 chain1 iif lo accept
Allow existing and outbind, as well as SSH
nft add rule inet table1 chain1 ct state established,related accept
nft add rule inet table1 chain1 tcp dport 22 ct state new accept
Default drop policy
nft add rule inet table1 chain1 drop
Advanced
Inject rule at position
nft add rule inet table1 chain1 position <number> <rule>
Convert iptables to nftables
Check out iptables-translate
Debug rule changes
nft monitor # Reports all rule changes live
nft monitor new tables
nft monitor destroy rules
SIO Firewall rules
/etc/nftables/sio-firewall.nft
/etc/sysconfig/nftables.conf include "/etc/nftables/sio-firewall.nft"