NFTables

From UVOO Tech Wiki
Revision as of 23:22, 5 September 2019 by Busk (talk | contribs)
Jump to navigation Jump to search

Common commands

sudo nft list ruleset  # you can direct this to /etc/nftables.conf as a simple way of backing up current rules.
sudo nft list tables
sudo nft list table <table-name>
sudo nft add rule nat prerouting iif bond0 ip daddr 23.228.169.145/32 dnat 10.64.40.11
sudo nft list table nat -a
sudo nft delete rule nat prerouting handle <numeric id>
systemctl restart nftables

NAT

https://wiki.nftables.org/wiki-nftables/index.php/Multiple_NATs_using_nftables_maps

More Reading

Why Use Netfilter NFTables?

It's better! Read https://wiki.debian.org/nftables

More Reading

Examples Using NFTables on Workstation

The inet table is available from Linux kernel 3.14 and allow to use a dual-stack IPv4/IPv6 table.

ref: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_workstation

apt-get remove iptables first and reboot (to get rid of iptables)

Ultra simple nftables.conf for local firewall using NFTables (for those of you used to using iptables)

table inet filter {
        chain input {
                 type filter hook input priority 0;

                 # accept any localhost traffic
                 iif lo accept

                 # accept traffic originated from us
                 ct state established,related accept

                 # accept neighbour discovery otherwise connectivity breaks
                 ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

                 # count and drop any other traffic
                 counter drop
        }
}

More Examples

nft add rule ip6 filter input tcp dport {telnet, http, https} accept

nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

Proxy

Retrieved from "https://tech.uvoo.io/index.php?title=NFTables&oldid=371"