Difference between revisions of "NFTables"
Jump to navigation
Jump to search
imported>Jeremy-busk |
|||
| Line 69: | Line 69: | ||
nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept | nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept | ||
``` | ``` | ||
| + | |||
| + | # Proxy | ||
| + | - https://github.com/torvalds/linux/blob/master/Documentation/networking/tproxy.txt | ||
Revision as of 23:22, 5 September 2019
Common commands
sudo nft list ruleset # you can direct this to /etc/nftables.conf as a simple way of backing up current rules. sudo nft list tables sudo nft list table <table-name> sudo nft add rule nat prerouting iif bond0 ip daddr 23.228.169.145/32 dnat 10.64.40.11 sudo nft list table nat -a sudo nft delete rule nat prerouting handle <numeric id> systemctl restart nftables
NAT
https://wiki.nftables.org/wiki-nftables/index.php/Multiple_NATs_using_nftables_maps
More Reading
Why Use Netfilter NFTables?
It's better! Read https://wiki.debian.org/nftables
More Reading
- https://wiki.archlinux.org/index.php/nftable
- https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
- https://wiki.gentoo.org/wiki/Nftables/Examples
- https://wiki.gentoo.org/wiki/Nftables#systemd_configuration
- https://netfilter.org/projects/nftables/
- https://wiki.nftables.org/wiki-nftables/index.php/Classic_perimetral_firewall_example
- https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_connection_tracking_metainformation
Examples Using NFTables on Workstation
The inet table is available from Linux kernel 3.14 and allow to use a dual-stack IPv4/IPv6 table.
ref: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_workstation
apt-get remove iptables first and reboot (to get rid of iptables)
Ultra simple nftables.conf for local firewall using NFTables (for those of you used to using iptables)
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise connectivity breaks
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}
More Examples
nft add rule ip6 filter input tcp dport {telnet, http, https} accept
nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept