nftables

Siehe auch

• Firewalls

• iptables

• firewalld

• Firewall Builder

nftables ist der offizielle Nachfolger von iptables. Das nftables-Backend wird per nft administriert, aber seit RHEL 8 auch von den Tools iptables und firewalld genutzt.

nftables Cheat Sheet

# List all tables
nft list tables

# List the ruleset
nft list ruleset
nft list ruleset > /etc/nftables/nftables.rules

# Configure the loopback interface to accept traffic
nft add rule inet filter input iif lo accept
nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop
nft add rule inet filter input ip6 saddr ::1 counter drop

# Allow all outbound and all established connections
nft add rule inet filter input ip protocol icmp ct state established accept
nft add rule inet filter input ip protocol tcp ct state established accept
nft add rule inet filter input ip protocol udp ct state established accept
nft add rule inet filter output ip protocol icmp ct state new,related,established accept
nft add rule inet filter output ip protocol tcp ct state new,related,established accept
nft add rule inet filter output ip protocol udp ct state new,related,established accept

# Implement a default DROP policy
nft chain inet filter forward { policy drop \; }
nft chain inet filter input { policy drop \; }
nft chain inet filter output { policy drop \; }

# Create some base chains
nft create chain inet filter forward { type filter hook forward priority 0
nft create chain inet filter input { type filter hook input priority 0 \; }
nft create chain inet filter output { type filter hook output priority 0 \;

# Create a table
nft create table inet filter

# Load rules file into nftables
nft -f /etc/nftables/nftables.rules

Built on 2023-03-17