mar
/
sysadmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
How to set up/manage services on a computer
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
18 Commits
1 Branch
0 Tags
179 KiB
 
Tree: c8cc40e84e
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c8cc40e84e'
${ noResults }
sysadmin/linux/router/nftables.md

3.1 KiB
Raw Blame History

set up firewall and NAT with nftables

nftables is the successor to iptables

enable forwarding

Need to enable forwarding in system settings. In /etc/sysctl.conf add the line:

net.ipv4.ip_forward = 1

then reload the settings with:

sysctl --system

make nftables rules

install nftables if not already installed:

apt install nftables

in /etc/nftables.conf:

#!/usr/sbin/nft -f

# flush all rules
#flush ruleset

# flush only my tables
table inet myfilter
delete table inet myfilter
table ip mynat
delete table ip mynat

table inet myfilter {
        chain input {
                # accepts packets by default, because we don't want
                # to have to keep track of all interfaces we don't want
                # firewalled (lan0, wlan0, bridges, veths, etc)
                type filter hook input priority 0; policy accept;

                # drop invalid connections
                ct state invalid drop

                # packets that are received on a firewalled interface
                # are sent to the firewall chain for evaluation
                iifname wan0 jump firewall
        }
        chain firewall {
                # allow established/related connections
                ct state {established, related} accept

                # accept incoming HTTP(s) connections
                tcp dport {80, 443} accept

                # accept incoming SSH connections
                tcp dport 4322 accept

                # accept incoming SSH connections for gitea
                tcp dport 4323 accept

                # accept incoming minecraft MP connections
                udp dport {19132, 19133} accept
                tcp dport {19132, 19133} accept

                # block mDNS broadcasts
                udp dport 5353 drop

                # reject everything else
                reject
        }

        chain forward {
                # forward everything by default
                type filter hook forward priority 0; policy accept;

                # drop invalid connections
                ct state invalid drop

                # send packets recieved on WAN to firewall chain
                iifname wan0 jump firewall
        }
        chain output {
                # let everything out by default
                type filter hook output priority 0; policy accept;

                # block outgoing mDNS broadcasts
                udp dport 5353 drop
        }
}

table ip mynat {
        chain prerouting {
                type nat hook prerouting priority -100;

                # if I wanted to do port forwarding I could do it like this:
                # forward http to 192.168.82.10
                #tcp dport http dnat to 192.168.82.10
        }
        chain postrouting {
                type nat hook postrouting priority 100;

                # masquerade outbound packets going to WAN
                oifname "wan0" masquerade
        }
}

load this configuration with nft -f /etc/nftables.conf

nftables is also configred to load that table on boot by default

make sure service is enabled

make sure the service is enabled so that the rules are automatically applied on boot:

systemctl enable nftables