Skip to content

Instantly share code, notes, and snippets.

@peteyoung
Last active Aug 29, 2015
Embed
What would you like to do?
dumping everything from nftables
========================================
nft export xml
nft export json
nft list ruleset
flushing all the rules
========================================
nft flush ruleset
list all tables
========================================
families=( ip ip6 inet arp bridge )
for fam in "${families[@]}"
do
echo $fam:
nft list tables $fam
done
various table operations
(redundant with `nft list ruleset`)
========================================
function nft_list() {
families=( ip ip6 inet arp bridge )
for fam in "${families[@]}"
do
read -a tables <<< $(nft list tables $fam | sed 's/table //g')
for tab in "${tables[@]}"
do
nft list table $fam $tab
done
done
}
Adding rules by hand
========================================
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; }
nft add chain inet filter output { type filter hook output priority 0 \; }
# bad tcp -> avoid network scanning:
nft add rule inet filter input tcp flags & (fin|syn) == (fin|syn) drop
nft add rule inet filter input tcp flags & (syn|rst) == (syn|rst) drop
nft add rule inet filter input tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) drop # == 0 would be better, not supported yet. null packet
nft add rule inet filter input tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# allow icmp (ping) but limit flood attacks
nft add rule inet filter input ip protocol icmp limit rate 10/second accept
nft add rule inet filter input ip protocol icmp drop
nft add rule inet filter input ip6 nexthdr icmpv6 limit rate 10/second accept
nft add rule inet filter input ip6 nexthdr icmpv6 drop
# accept any localhost traffic
nft add rule filter input inet iifname lo accept
# accept traffic originated from us
nft add rule inet filter input ct state established,related accept
nft add rule inet filter input ct state invalid drop
# accept neighbour discovery otherwise connectivity breaks. daddr filter is a workaround to set l3 protocol.
nft add rule inet filter input ip6 daddr 0::0/0 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
# open tcp ports: sshd (22), httpd (80)
#nft add rule inet filter input tcp dport {ssh, http} accept
nft add rule inet filter input tcp dport {ssh} accept
# count and drop any other traffic, including forwards
nft add rule inet filter input counter drop
fw.inet.basic
---------------------------8<---------------------------
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# bad tcp -> avoid network scanning:
tcp flags & (fin|syn) == (fin|syn) drop
tcp flags & (syn|rst) == (syn|rst) drop
tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) drop # == 0 would be better, not supported yet. null packet
tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) drop
# allow icmp (ping) but limit flood attacks
ip protocol icmp limit rate 10/second accept
ip protocol icmp drop
ip6 nexthdr icmpv6 limit rate 10/second accept
ip6 nexthdr icmpv6 drop
# accept any localhost traffic
iifname lo accept
# accept traffic originated from us
ct state established,related accept
ct state invalid drop
# accept neighbour discovery otherwise connectivity breaks. daddr filter is a workaround to set l3 protocol.
ip6 daddr 0::0/0 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
# open tcp ports: sshd (22), httpd (80)
tcp dport {ssh, http} accept
# count and drop any other traffic, including forwards
counter drop
}
}
--------------------------->8---------------------------
backup and restore
========================================
# http://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level
# backup
echo "flush ruleset" > backup.nft; nft list ruleset >> backup.nft
# restore
nft -f backup.nft; nft list ruleset
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment