peteyoung/nftables.txt

## nftables.txt


dumping everything from nftables
========================================
nft export xml
nft export json
nft list ruleset


flushing all the rules
========================================
nft flush ruleset


list all tables
========================================
families=( ip ip6 inet arp bridge )
for fam in "${families[@]}"
do
  echo $fam:
  nft list tables $fam
done


various table operations
(redundant with `nft list ruleset`)
========================================
function nft_list() {
  families=( ip ip6 inet arp bridge )
  for fam in "${families[@]}"
  do
    read -a tables <<< $(nft list tables $fam | sed 's/table //g')

    for tab in "${tables[@]}"
    do
      nft list table $fam $tab
    done
  done
}


Adding rules by hand
========================================
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; }
nft add chain inet filter output { type filter hook output priority 0 \; }

# bad tcp -> avoid network scanning:
nft add rule inet filter input tcp flags & (fin|syn) == (fin|syn)			drop
nft add rule inet filter input tcp flags & (syn|rst) == (syn|rst)			drop
nft add rule inet filter input tcp flags & (fin|syn|rst|psh|ack|urg) < (fin)		drop # == 0 would be better, not supported yet. null packet
nft add rule inet filter input tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)	drop

# allow icmp (ping) but limit flood attacks
nft add rule inet filter input ip protocol icmp limit rate 10/second accept
nft add rule inet filter input ip protocol icmp drop
nft add rule inet filter input ip6 nexthdr icmpv6 limit rate 10/second accept
nft add rule inet filter input ip6 nexthdr icmpv6 drop

# accept any localhost traffic
nft add rule filter input inet iifname lo accept

# accept traffic originated from us
nft add rule inet filter input ct state established,related accept
nft add rule inet filter input ct state invalid drop

# accept neighbour discovery otherwise connectivity breaks. daddr filter is a workaround to set l3 protocol.
nft add rule inet filter input ip6 daddr 0::0/0 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

# open tcp ports: sshd (22), httpd (80)
#nft add rule inet filter input tcp dport {ssh, http} accept
nft add rule inet filter input tcp dport {ssh} accept

# count and drop any other traffic, including forwards
nft add rule inet filter input counter drop


fw.inet.basic
---------------------------8<---------------------------
flush ruleset

table inet filter {
        chain input {
                 type filter hook input priority 0;

                 # bad tcp -> avoid network scanning:
                 tcp flags & (fin|syn) == (fin|syn)			drop
                 tcp flags & (syn|rst) == (syn|rst)			drop
                 tcp flags & (fin|syn|rst|psh|ack|urg) < (fin)		drop # == 0 would be better, not supported yet. null packet
                 tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)	drop

                 # allow icmp (ping) but limit flood attacks
                 ip protocol icmp limit rate 10/second accept
                 ip protocol icmp drop
                 ip6 nexthdr icmpv6 limit rate 10/second accept
                 ip6 nexthdr icmpv6 drop

                 # accept any localhost traffic
                 iifname lo accept

                 # accept traffic originated from us
                 ct state established,related accept
                 ct state invalid drop

                 # accept neighbour discovery otherwise connectivity breaks. daddr filter is a workaround to set l3 protocol.
                 ip6 daddr 0::0/0 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

                 # open tcp ports: sshd (22), httpd (80)
                 tcp dport {ssh, http} accept

                 # count and drop any other traffic, including forwards
                 counter drop
        }
}
--------------------------->8---------------------------


backup and restore
========================================
# http://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level

# backup
echo "flush ruleset" > backup.nft; nft list ruleset >> backup.nft

# restore
nft -f backup.nft; nft list ruleset




	dumping everything from nftables
	========================================
	nft export xml
	nft export json
	nft list ruleset


	flushing all the rules
	========================================
	nft flush ruleset



	list all tables
	========================================
	families=( ip ip6 inet arp bridge )
	for fam in "${families[@]}"
	do
	echo $fam:
	nft list tables $fam
	done



	various table operations
	(redundant with `nft list ruleset`)
	========================================
	function nft_list() {
	families=( ip ip6 inet arp bridge )
	for fam in "${families[@]}"
	do
	read -a tables <<< $(nft list tables $fam \| sed 's/table //g')

	for tab in "${tables[@]}"
	do
	nft list table $fam $tab
	done
	done
	}


	Adding rules by hand
	========================================
	nft add table inet filter
	nft add chain inet filter input { type filter hook input priority 0 \; }
	nft add chain inet filter output { type filter hook output priority 0 \; }

	# bad tcp -> avoid network scanning:
	nft add rule inet filter input tcp flags & (fin\|syn) == (fin\|syn) drop
	nft add rule inet filter input tcp flags & (syn\|rst) == (syn\|rst) drop
	nft add rule inet filter input tcp flags & (fin\|syn\|rst\|psh\|ack\|urg) < (fin) drop # == 0 would be better, not supported yet. null packet
	nft add rule inet filter input tcp flags & (fin\|syn\|rst\|psh\|ack\|urg) == (fin\|psh\|urg) drop

	# allow icmp (ping) but limit flood attacks
	nft add rule inet filter input ip protocol icmp limit rate 10/second accept
	nft add rule inet filter input ip protocol icmp drop
	nft add rule inet filter input ip6 nexthdr icmpv6 limit rate 10/second accept
	nft add rule inet filter input ip6 nexthdr icmpv6 drop

	# accept any localhost traffic
	nft add rule filter input inet iifname lo accept

	# accept traffic originated from us
	nft add rule inet filter input ct state established,related accept
	nft add rule inet filter input ct state invalid drop

	# accept neighbour discovery otherwise connectivity breaks. daddr filter is a workaround to set l3 protocol.
	nft add rule inet filter input ip6 daddr 0::0/0 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

	# open tcp ports: sshd (22), httpd (80)
	#nft add rule inet filter input tcp dport {ssh, http} accept
	nft add rule inet filter input tcp dport {ssh} accept

	# count and drop any other traffic, including forwards
	nft add rule inet filter input counter drop





	fw.inet.basic
	---------------------------8<---------------------------
	flush ruleset

	table inet filter {
	chain input {
	type filter hook input priority 0;

	# bad tcp -> avoid network scanning:
	tcp flags & (fin\|syn) == (fin\|syn) drop
	tcp flags & (syn\|rst) == (syn\|rst) drop
	tcp flags & (fin\|syn\|rst\|psh\|ack\|urg) < (fin) drop # == 0 would be better, not supported yet. null packet
	tcp flags & (fin\|syn\|rst\|psh\|ack\|urg) == (fin\|psh\|urg) drop

	# allow icmp (ping) but limit flood attacks
	ip protocol icmp limit rate 10/second accept
	ip protocol icmp drop
	ip6 nexthdr icmpv6 limit rate 10/second accept
	ip6 nexthdr icmpv6 drop

	# accept any localhost traffic
	iifname lo accept

	# accept traffic originated from us
	ct state established,related accept
	ct state invalid drop

	# accept neighbour discovery otherwise connectivity breaks. daddr filter is a workaround to set l3 protocol.
	ip6 daddr 0::0/0 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

	# open tcp ports: sshd (22), httpd (80)
	tcp dport {ssh, http} accept

	# count and drop any other traffic, including forwards
	counter drop
	}
	}
	--------------------------->8---------------------------





	backup and restore
	========================================
	# http://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level

	# backup
	echo "flush ruleset" > backup.nft; nft list ruleset >> backup.nft

	# restore
	nft -f backup.nft; nft list ruleset