Nftables/Examples - Gentoo Wiki https://wiki.gentoo.

org/wiki/Nftables/Examples

(/) Wiki

Nftables/Examples
De Gentoo Wiki
< Nftables (/wiki/Nftables)
Saltar a:navegación Saltar a:buscar
On this page several example nftable configurations can be found. The first two examples are
skeletons to illustrate how nftables works. The third and fourth exmaple show how, using nftables,
rules can be simplified by combining IPv4 and IPv6 in the generic IP table 'inet'. The fifth example
shows how nftables can be combined with bash scripting.

Sumario

▪ 1 Basic routing firewall

▪ 2 Basic NAT
▪ 3 Typical workstation (separate IPv4 and IPv6)
▪ 4 Typical workstation (combined IPv4 and IPv6)
▪ 5 Stateful router example
▪ 6 References

Basic routing firewall

The following is an example of nftables rules for a basic IPv4 firewall that:

1. Only allows packets from LAN to the firewall machine

2. Only allows packets
1. From LAN to WAN
2. From WAN to LAN for connections established by LAN.

For forwarding between WAN and LAN to work, it needs to be enabled with:

root # sysctl -w net.ipv4.ip_forward = 1

FILE /etc/nftables/nftables_firewall

1 de 9 15/03/2023, 10:28
Nftables/Examples - Gentoo Wiki https://wiki.gentoo.org/wiki/Nftables/Examples

#!/sbin/nft -f

flush ruleset

table ip filter {
# allow all packets sent by the firewall machine itself
chain output {
type filter hook output priority 100; policy accept;
}

# allow LAN to firewall, disallow WAN to firewall

chain input {
type filter hook input priority 0; policy accept;
iifname "lan0" accept
iifname "wan0" drop
}

# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
type filter hook forward priority 0; policy drop;
iifname "lan0" oifname "wan0" accept
iifname "wan0" oifname "lan0" ct state related,established accept
}
}

Basic NAT
The following is an example of nftables rules for setting up basic Network Address Translation (NAT)
using masquerade. If you have a static IP, it would be slightly faster to use source nat (SNAT) instead of
masquerade. This way the router would replace the source with a predefined IP, instead of looking up
the outgoing IP for every packet.

Note


masquerade is available in kernel 3.18 and up. When using NAT on kernels before 4.18, be sure to
unload or disable iptables NAT, as it will take precedence over nftables NAT.

FILE /etc/nftables/nftables_nat

2 de 9 15/03/2023, 10:28
Nftables/Examples - Gentoo Wiki https://wiki.gentoo.org/wiki/Nftables/Examples

#!/sbin/nft -f

flush ruleset

table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}

# for all packets to WAN, after routing, replace source address with primary IP of
WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wan0" masquerade
}
}

Typical workstation (separate IPv4 and IPv6)

This is an example of a simple rule set that may be used by a typical workstation or other end user
device. It defaults to dropping packets that do not match any of the rules, uses connection tracking to
accept packets established or related to traffic initiated by the host, and accepts all ICMP (see note).
Further, it assumes that you want to be able to connect to the machine via SSH.
While counter is used in this example, it isn't required if you're not interested in packet counts. Just
omit counter from any rule.

Note


Generally, you should accept all ICMP. It is fundamental to various networking operations and
eases trouble shooting. Dropping them altogether can result in undesirable behavior.[1]

FILE /etc/nftables/nftables.rules

3 de 9 15/03/2023, 10:28
Nftables/Examples - Gentoo Wiki https://wiki.gentoo.org/wiki/Nftables/Examples

#!/sbin/nft -f

flush ruleset

# ----- IPv4 -----

table ip filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connect
ions related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to l
oopback not coming from loopback"
ip protocol icmp counter accept comment "accept all ICMP types"
tcp dport 22 counter accept comment "accept SSH"
counter comment "count dropped packets"
}

chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}

# If you're not counting packets, this chain can be omitted.

chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
}

# ----- IPv6 -----

table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connect
ions related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loop
back not coming from loopback"
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
tcp dport 22 counter accept comment "accept SSH"
counter comment "count dropped packets"
}

chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}

# If you're not counting packets, this chain can be omitted.

chain output {

4 de 9 15/03/2023, 10:28
Nftables/Examples - Gentoo Wiki https://wiki.gentoo.org/wiki/Nftables/Examples

type filter hook output priority 0; policy accept;

counter comment "count accepted packets"
}
}

Typical workstation (combined IPv4 and IPv6)

As for the previous example, but uses the inet family to apply rules to both IPv4 and IPv6 packets. So,
only one table needs to be maintained.

Note


inet has been available since kernel 3.14.

FILE /etc/nftables/nftables.rules

#!/sbin/nft -f

flush ruleset

table inet filter {

chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connect
ions related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to l
oopback not coming from loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loop
back not coming from loopback"
ip protocol icmp counter accept comment "accept all ICMP types"
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
tcp dport 22 counter accept comment "accept SSH"
counter comment "count dropped packets"
}

chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}

# If you're not counting packets, this chain can be omitted.

chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
}

Stateful router example

The following is an example of nftables configuration script for a stateful router.

5 de 9 15/03/2023, 10:28
Nftables/Examples - Gentoo Wiki https://wiki.gentoo.org/wiki/Nftables/Examples

Note


Shell scripts break atomicity when applying the ruleset unless using nftables native scripting
environment. See Nftables Scripting (https://wiki.nftables.org/wiki-nftables/index.php/Scripting).

FILE /home/rt/scripts/nft.sh

6 de 9 15/03/2023, 10:28
Nftables/Examples - Gentoo Wiki https://wiki.gentoo.org/wiki/Nftables/Examples

#!/bin/bash

nft="/sbin/nft";

# ruleset, masquerade and full reject support are available starting with Linux Kernel
3.18
${nft} flush ruleset;

export LAN_IN=enp3s6
export LAN_ML=enp2s0
export WAN=ppp0
LAN_INLOCALNET=192.168.1.0/24
LAN_MLNET=10.52.0.0/14
MLIP=10.54.1.101
TORRENT_PORT_WAN=55414
TRACKER_TORRENT_PORT_WAN=4949
TORRENT_PORT_LAN=55413

MAC[2]=00:23:45:67:89:ab
...
MAC[20]=00:fe:dc:ba:98:76

${nft} -f /etc/nftables/ipv4-filter;
${nft} -f /etc/nftables/ipv4-nat;

# BANNED
${nft} add rule filter input meta iifname ${WAN} ip saddr 121.12.242.43 drop;

# Drop locals from internet

${nft} add rule filter input meta iifname ${WAN} ip saddr \
{ 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 } drop;

# Drop invalid
${nft} add rule filter input ct state invalid drop;

${nft} add rule filter input meta iif lo ct state new accept;

${nft} add rule filter input meta iif ${LAN_ML} ip saddr ${LAN_MLNET} ct state new acce
pt;
${nft} add rule filter input meta iif ${LAN_IN} ip saddr ${LAN_INLOCALNET} ct state new
accept;

${nft} add rule filter input ip protocol tcp tcp dport \

{ ${TORRENT_PORT_LAN}, ${TORRENT_PORT_WAN}, \
${TRACKER_TORRENT_PORT_WAN} } ct state new accept;
${nft} add rule filter input ip protocol udp udp dport \
{ ${TORRENT_PORT_LAN}, ${TORRENT_PORT_WAN}, \
${TRACKER_TORRENT_PORT_WAN} } ct state new accept;

${nft} add rule filter input meta iifname ${WAN} ip protocol tcp ct state new tcp dport
80 accept;

# torrent port forwarding example

${nft} add rule nat prerouting meta iifname ${WAN} tcp dport ${TORRENT_PORT_LAN} \

7 de 9 15/03/2023, 10:28
Nftables/Examples - Gentoo Wiki https://wiki.gentoo.org/wiki/Nftables/Examples

dnat 192.168.1.10:${TORRENT_PORT_LAN}

${nft} add rule filter forward meta iifname ${WAN} meta oif ${LAN_IN} ip daddr 192.168.
1.10 \
tcp dport ${TORRENT_PORT_LAN} ct state new accept;

${nft} add rule filter input ip saddr != ${LAN_INLOCALNET} ct state new drop;
${nft} add rule filter forward meta iif ${LAN_ML} ct state new drop;
${nft} add rule filter forward meta iifname ${WAN} ct state new drop;

${nft} add rule filter input ct state established,related accept;

${nft} add rule nat postrouting oif ${LAN_ML} ip saddr ${LAN_INLOCALNET} snat ${MLIP};
${nft} add rule nat postrouting oifname ${WAN} ip saddr ${LAN_INLOCALNET} masquerade;

${nft} add rule filter forward ct state established,related accept;

# Give internet access to internal LAN addresses

for i in {2..20}
do
if grep 1 /var/www/myhost/htdocs/payment/192.168.1.$i > /dev/null;
then
${nft} add rule filter forward ether saddr ${MAC[$i]} ip saddr 192.168.1.$i \
ct state new accept;
echo ACCEPT 192.168.1.$i ALL;
else
${nft} add rule filter forward ether saddr ${MAC[$i]} ip saddr 192.168.1.$i \
meta oif ${LAN_ML} ct state new accept;
echo ACCEPT 192.168.1.$i ${LAN_ML};
fi
done

# Policies
${nft} add rule filter input drop;
${nft} add rule filter forward drop;
${nft} add rule filter output accept;

/etc/init.d/nftables save;

References
1. http://shouldiblockicmp.com/ (http://shouldiblockicmp.com/)

Obtenido de «https://wiki.gentoo.org/index.php?title=Nftables/Examples&oldid=927825
(https://wiki.gentoo.org/index.php?title=Nftables/Examples&oldid=927825)»

▪ Esta página se editó por última vez el 4 mar 2021 a las 19:33.

8 de 9 15/03/2023, 10:28
Nftables/Examples - Gentoo Wiki https://wiki.gentoo.org/wiki/Nftables/Examples

▪ Política de privacidad (/wiki/Gentoo_Wiki:Privacy_policy)

▪ Acerca de Gentoo Wiki (/wiki/Gentoo_Wiki:About)
▪ Descargos (/wiki/Gentoo_Wiki:General_disclaimer)

© 2001–2023 Gentoo Authors

Gentoo is a trademark of the Gentoo Foundation, Inc. The contents of this document, unless
otherwise expressly stated, are licensed under the CC-BY-SA-4.0
(https://creativecommons.org/licenses/by-sa/4.0/) license. The Gentoo Name and Logo Usage
Guidelines (https://www.gentoo.org/inside-gentoo/foundation/name-logo-guidelines.html)
apply.

9 de 9 15/03/2023, 10:28