Last active
November 22, 2023 15:21
-
-
Save peteyoung/beb2fe89ca886f3de989 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dumping everything from nftables | |
======================================== | |
nft export xml | |
nft export json | |
nft list ruleset | |
flushing all the rules | |
======================================== | |
nft flush ruleset | |
list all tables | |
======================================== | |
families=( ip ip6 inet arp bridge ) | |
for fam in "${families[@]}" | |
do | |
echo $fam: | |
nft list tables $fam | |
done | |
various table operations | |
(redundant with `nft list ruleset`) | |
======================================== | |
function nft_list() { | |
families=( ip ip6 inet arp bridge ) | |
for fam in "${families[@]}" | |
do | |
read -a tables <<< $(nft list tables $fam | sed 's/table //g') | |
for tab in "${tables[@]}" | |
do | |
nft list table $fam $tab | |
done | |
done | |
} | |
Adding rules by hand | |
======================================== | |
nft add table inet filter | |
nft add chain inet filter input { type filter hook input priority 0 \; } | |
nft add chain inet filter output { type filter hook output priority 0 \; } | |
# bad tcp -> avoid network scanning: | |
nft add rule inet filter input tcp flags & (fin|syn) == (fin|syn) drop | |
nft add rule inet filter input tcp flags & (syn|rst) == (syn|rst) drop | |
nft add rule inet filter input tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) drop # == 0 would be better, not supported yet. null packet | |
nft add rule inet filter input tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop | |
# allow icmp (ping) but limit flood attacks | |
nft add rule inet filter input ip protocol icmp limit rate 10/second accept | |
nft add rule inet filter input ip protocol icmp drop | |
nft add rule inet filter input ip6 nexthdr icmpv6 limit rate 10/second accept | |
nft add rule inet filter input ip6 nexthdr icmpv6 drop | |
# accept any localhost traffic | |
nft add rule filter input inet iifname lo accept | |
# accept traffic originated from us | |
nft add rule inet filter input ct state established,related accept | |
nft add rule inet filter input ct state invalid drop | |
# accept neighbour discovery otherwise connectivity breaks. daddr filter is a workaround to set l3 protocol. | |
nft add rule inet filter input ip6 daddr 0::0/0 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept | |
# open tcp ports: sshd (22), httpd (80) | |
#nft add rule inet filter input tcp dport {ssh, http} accept | |
nft add rule inet filter input tcp dport {ssh} accept | |
# count and drop any other traffic, including forwards | |
nft add rule inet filter input counter drop | |
fw.inet.basic | |
---------------------------8<--------------------------- | |
flush ruleset | |
table inet filter { | |
chain input { | |
type filter hook input priority 0; | |
# bad tcp -> avoid network scanning: | |
tcp flags & (fin|syn) == (fin|syn) drop | |
tcp flags & (syn|rst) == (syn|rst) drop | |
tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) drop # == 0 would be better, not supported yet. null packet | |
tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop | |
# allow icmp (ping) but limit flood attacks | |
ip protocol icmp limit rate 10/second accept | |
ip protocol icmp drop | |
ip6 nexthdr icmpv6 limit rate 10/second accept | |
ip6 nexthdr icmpv6 drop | |
# accept any localhost traffic | |
iifname lo accept | |
# accept traffic originated from us | |
ct state established,related accept | |
ct state invalid drop | |
# accept neighbour discovery otherwise connectivity breaks. daddr filter is a workaround to set l3 protocol. | |
ip6 daddr 0::0/0 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept | |
# open tcp ports: sshd (22), httpd (80) | |
tcp dport {ssh, http} accept | |
# count and drop any other traffic, including forwards | |
counter drop | |
} | |
} | |
--------------------------->8--------------------------- | |
backup and restore | |
======================================== | |
# http://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level | |
# backup | |
echo "flush ruleset" > backup.nft; nft list ruleset >> backup.nft | |
# restore | |
nft -f backup.nft; nft list ruleset | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment