nftables

Siehe auch

• Firewalls

• iptables

• firewalld

• Firewall Builder

nftables ist der offizielle Nachfolger von iptables. Das nftables-Backend wird per nft administriert, aber seit RHEL 8 auch von den Tools iptables und firewalld genutzt.

Debugging

Mithilfe von nftables kann man sich alle Pakete anzeigen lassen, die einer Regel entsprechen - im Unterschied zu iptables aber gerade auch im PREROUTING oder POSTROUTING. Dazu muss man sich zuerst das „handle“ der entsprechenden Regel raussuchen, und dann ein meta nftrace set 1 an die Regel anhängen.

# find the correct table and chain
nft --handle list ruleset

# show the table and chain
nft --handle list chain ip filter INPUT

# copy the whole rule and add "meta nftrace set 1"
nft replace rule ip filter INPUT handle 9 iifname "eth0" meta l4proto tcp ip saddr 192.0.2.4 tcp dport 80 ct state new counter packets 536 bytes 32160 meta nftrace set 1 accept

# same thing for PREROUTING
nft --handle list chain ip nat PREROUTING
nft replace rule ip nat PREROUTING handle 5 meta l4proto tcp ip daddr 198.51.100.67 tcp dport { 80,443} counter packets 4 bytes 240 meta nftrace set 1 dnat to 10.196.185.3

# show the traces
nft monitor trace

nftables Cheat Sheet

# List all tables
nft list tables

# List the ruleset
nft list ruleset
nft list ruleset > /etc/nftables/nftables.rules

# Configure the loopback interface to accept traffic
nft add rule inet filter input iif lo accept
nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop
nft add rule inet filter input ip6 saddr ::1 counter drop

# Allow all outbound and all established connections
nft add rule inet filter input ip protocol icmp ct state established accept
nft add rule inet filter input ip protocol tcp ct state established accept
nft add rule inet filter input ip protocol udp ct state established accept
nft add rule inet filter output ip protocol icmp ct state new,related,established accept
nft add rule inet filter output ip protocol tcp ct state new,related,established accept
nft add rule inet filter output ip protocol udp ct state new,related,established accept

# Implement a default DROP policy
nft chain inet filter forward { policy drop \; }
nft chain inet filter input { policy drop \; }
nft chain inet filter output { policy drop \; }

# Create some base chains
nft create chain inet filter forward { type filter hook forward priority 0
nft create chain inet filter input { type filter hook input priority 0 \; }
nft create chain inet filter output { type filter hook output priority 0 \;

# Create a table
nft create table inet filter

# Load rules file into nftables
nft -f /etc/nftables/nftables.rules

Built on 2024-04-18