Difference between revisions of "NFTables"

From UVOO Tech Wiki
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
# Quick HowTos
 +
- https://www.theurbanpenguin.com/using-nftables-in-centos-8/
 +
 +
# Basic Architecture
 +
- https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
 +
 
# Common commands
 
# Common commands
  
Line 72: Line 78:
 
# Proxy
 
# Proxy
 
- https://github.com/torvalds/linux/blob/master/Documentation/networking/tproxy.txt
 
- https://github.com/torvalds/linux/blob/master/Documentation/networking/tproxy.txt
 +
 +
 +
# More
 +
 +
- https://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/?extIdCarryOver=true&sc_cid=701f2000001OH7TAAW
 +
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking

Latest revision as of 18:26, 25 April 2020

Quick HowTos

Basic Architecture

Common commands

sudo nft list ruleset  # you can direct this to /etc/nftables.conf as a simple way of backing up current rules.
sudo nft list tables
sudo nft list table <table-name>
sudo nft add rule nat prerouting iif bond0 ip daddr 23.228.169.145/32 dnat 10.64.40.11
sudo nft list table nat -a
sudo nft delete rule nat prerouting handle <numeric id>
systemctl restart nftables

NAT

https://wiki.nftables.org/wiki-nftables/index.php/Multiple_NATs_using_nftables_maps

More Reading

Why Use Netfilter NFTables?

It's better! Read https://wiki.debian.org/nftables

More Reading

Examples Using NFTables on Workstation

The inet table is available from Linux kernel 3.14 and allow to use a dual-stack IPv4/IPv6 table.

ref: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_workstation

apt-get remove iptables first and reboot (to get rid of iptables)

Ultra simple nftables.conf for local firewall using NFTables (for those of you used to using iptables)

table inet filter {
        chain input {
                 type filter hook input priority 0;

                 # accept any localhost traffic
                 iif lo accept

                 # accept traffic originated from us
                 ct state established,related accept

                 # accept neighbour discovery otherwise connectivity breaks
                 ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

                 # count and drop any other traffic
                 counter drop
        }
}

More Examples

nft add rule ip6 filter input tcp dport {telnet, http, https} accept

nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

Proxy

More