Linux/NfTablesFirewall
- 2022 the 4th gen Linux firewall configuration Net Filter Tables.
NFT commands
Ensure NFT is enabled
systemctl status nftables systemctl enable --now nftables
List tables
nft list ruleset nft list tables nft list table ip filter nft list table ip nat
- Chain bindings to netfilter hooks
Family
Hooks
ip / ip6 / inet
pre-routing, ingress, forwarding, egress, post-routing
arp
enter exit
pont
pre-routing, ingress, forwarding, egress, post-routing
NFT and Docker
- Docker still uses iptables to add rules, this can work with nftables, with some simple rules
- Start nft first, by using /etc/nftables.conf , started by systemctl
Use names iptables/docker expect, and can add rules to. INPUT, OUTPUT & FORWARD
Examples
Basic nft fW
#!/sbin/nft -f # sysctl -w net.ipv4.ip_forward=1 flush ruleset table ip filter { # allow all packets sent by the firewall machine itself chain outp { type filter hook output priority 101; policy accept; } # allow LAN to firewall, disallow WAN to firewall chain inp { type filter hook input priority 1; policy accept; } # allow packets from LAN to WIFI and back chain fwd-wifi { type filter hook forward priority 1; policy drop; iifname "eth1" oifname "wlan0" accept iifname "wlan1" oifname "eth0" accept } } table ip nat { # also wlan1(wifi) to eth0(lan) chain postrout { type nat hook postrouting priority 101; policy accept; oifname "eth1" masquerade } }Port knocking example - https://wiki.nftables.org/wiki-nftables/index.php/Port_knocking_example