mar
/
sysadmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
How to set up/manage services on a computer
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12 Commits
1 Branch
0 Tags
179 KiB
 
Tree: 7d31a9a9be
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7d31a9a9be'
${ noResults }
sysadmin/linux/router/nftables.md

3.0 KiB
Raw Blame History

set up firewall and NAT with nftables

nftables is the successor to iptables

enable forwarding

Need to enable forwarding in system settings. In /etc/sysctl.conf add the line:

net.ipv4.ip_forward = 1

then reload the settings with:

sysctl --system

make nftables rules

install nftables if not already installed:

apt install nftables

in /etc/nftables.conf:

#!/usr/sbin/nft -f

# flush all rules
#flush ruleset

# flush only my tables
table inet myfilter
delete table inet myfilter
table ip mynatv4
delete table ip mynatv4

table inet myfilter {
        chain myinput {
                # use the "input" hook for this chain
                # accepts packets by default, because we don't want
                # to have to keep track of all interfaces we don't want
                # firewalled (lan0, wlan0, lxdbr0, veths, etc)
                type filter hook input priority 0; policy accept;

                # allow established/related connections
                ct state {established, related} accept

                # drop invalid connections
                ct state invalid drop

                # packets that are received on a firewalled interface
                # are sent to the firewall chain for evaluation
                iifname "wan0" jump myfirewall
        }
        chain myfirewall { # handle firewall
                # accept incoming HTTP(s) connections
                tcp dport {http, https} accept

                # accept incoming SSH connections
                tcp dport 4322 accept

                # reject everything else
                reject with icmpx type port-unreachable
        }

        chain myforward {
                # forward everything by default
                type filter hook forward priority 0; policy accept;
				
				# forward incoming on wan0 for established/related connections
                iifname wan0 ct state {established, related} accept

                # drop everything else
                iifname wan0 drop

        }
        chain myoutput {
                # let everything out by default
                type filter hook output priority 0; policy accept;

                # block outgoing mDNS broadcasts
                udp dport 5353 drop
	}
}

table ip mynatv4 {
        chain myprerouting {
                type nat hook prerouting priority -100;

                # if I wanted to do port forwarding I could do it like this:
                # forward http to 192.168.82.10
                #tcp dport http dnat to 192.168.82.10
        }
        chain mypostrouting {
                type nat hook postrouting priority 100;

                # masquerade outbound packets going to WAN
                oifname "wan0" masquerade
        }
}

load this configuration with nft -f /etc/nftables.conf

nftables is also configred to load that table on boot by default

make sure service is enabled

make sure the service is enabled so that the rules are automatically applied on boot:

systemctl enable nftables