User Tools

Site Tools


en:security:computer:linux:firewall:nftables

Table of Contents

NFTables (PC)

For Server see NFTables (Server) and for NAT see NFTables (NAT).

So let me try. Still at it and :) Warning: Not been tested yet.

Basic idea

flush ruleset

table inet filter {

    set tcp_accept {
        type inet_service; flags interval;
        
        elements = { http, https, ssh,
        }
    }
    
    set udp_accept {
        type inet_service; flags interval;
        
        elements = { openvpn,
        }
    }

    chain base_checks {
        # allow established/related connections
        ct state {established, related} accept
        # early drop of invalid connections
        ct state invalid drop
    }
    
    chain input {
        type filter hook input priority 0; policy drop;

        # Accept on localhost
        iifname lo accept
        jump base_checks
        
        # Accept ICMPv6
        meta l4proto ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, \
        time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, \
        mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, \
        nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report \
        } accept
        
        # Accept ICMP
        meta l4proto icmp icmp type { destination-unreachable, router-solicitation, \
        router-advertisement, time-exceeded, parameter-problem } accept
        
        # Accept mDNS
        udp dport mdns ip6 daddr ff02::fb accept
        udp dport mdns ip daddr 224.0.0.251 accept
        
        # Accept UPnP IGD port mapping reply
        udp sport 1900 udp dport >= 1024 ip6 saddr { fd00::/8, fe80::/10 } meta \
        pkttype unicast limit rate 4/second burst 20 packets accept
        udp sport 1900 udp dport >= 1024 ip saddr { 10.0.0.0/8, 172.16.0.0/12, \
        192.168.0.0/16, 169.254.0.0/16 } meta pkttype unicast limit rate 4/second \
        burst 20 packets accept 
        
        # Allow ports
        tcp dport @tcp_accept accept
        udp dport @udp_accept accept
    }
    
    # Not a gateway. We do not forward. 
    chain forward {
        type filter hook forward priority 0; policy drop;
        
        jump base_checks
    }
    
    # Chain to accept all outgoing packets
    chain output {
        type filter hook output priority 0; policy accept;
        
    }
    
}

Resources

en/security/computer/linux/firewall/nftables.txt · Last modified: 2020/07/20 10:42 by Digital Dot