Nftables (Linux): Unterschied zwischen den Versionen

Aus Tutorials
Zur Navigation springen Zur Suche springen
Zeile 395: Zeile 395:

{{note|To check}}

Zurück zu [[Ubuntu#N (Server)|Ubuntu]]
Zurück zu [[Ubuntu#N (Server)|Ubuntu]]

Version vom 30. März 2020, 06:55 Uhr

Noch in Bearbeitung


sudo apt-get install -y nftables


sudo systemctl enable nftables.service
sudo systemctl restart nftables.service



sudo vi /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
   chain input {
      type filter hook input priority 0; policy accept;

   chain forward {
      type filter hook forward priority 0; policy accept;

   chain output {
      type filter hook output priority 0; policy accept;
table inet filter
Legt eine Tabelle mit dem Namen filter für die Familiy inet an.
Mit der Familie inet lassen sich Regeln für IPv4 und IPv6 auf einmal definieren.
type filter hook input priority 0;
type legt fest, welche Art von Kette gebildet werden soll. Mögliche Werte sind filter, route oder nat.
hook legt fest, in welcher Phase sich die Pakete während der Bearbeitung befinden. Mögliche Werte sind prerouting, input, forward, output oder postrouting.
priority legt die Reihenfolge der Ketten fest bzw. legt sie zwischen Netfilter-Operationen.
policy accept;
Lässt als Standard-Regel alle Pakete durch.



# icmp (ping)
icmp type echo-request limit rate 10/second burst 2 packets counter accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 limit rate 15/minute accept;



#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  set internal_networks_ip4 {
    type ipv4_addr
    flags interval
    elements = {,, }

  chain input {
    type filter hook input priority 0; policy drop;

    # established/related connections
    ct state established,related accept;

    # loopback interface
    iifname lo accept;

    # icmp (ping)
    icmp type echo-request accept;

    # open sshd (22) for internal networks only
    tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
    #tcp dport { ssh } accept comment "accept SSH from all networks"

    # open tcp ports: http (80), https (443)
    tcp dport { http, https } accept;

    # open udp ports: domain (53), openvpn (1194)
    udp dport { domain, openvpn } accept;

    # mail ports: pop3 (143), imap (110), submission (SMTP/587), smtp(25)
    tcp dport { pop3, imap2, submission, smtp } accept;
    udp dport { imap2 } accept;

    # mysql (3306)
    meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";

    counter comment "count dropped packets"

  chain forward {
    type filter hook forward priority 0; policy drop;
    counter comment "count dropped packets"

  chain output {
    type filter hook output priority 0; policy accept;

Server Firewall Testing

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  set internal_networks_ip4 {
    type ipv4_addr
    flags interval
    elements = {,, }

  chain input {
    type filter hook input priority 0; policy drop;

    # established/related connections
    ct state established,related accept;

    # loopback interface
    iifname lo accept;

    # icmp (ping)
    icmp type echo-request accept;

    # open sshd (22) for internal networks only
    tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"

    # open tcp ports: http (80), https (443)
    tcp dport { http, https } accept;

    # open udp ports: domain (53), openvpn (1194)
    udp dport { domain, openvpn } accept;

    # mysql (3306)
    meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";

    #iifname "wlan0" accept;


  chain forward {
    type filter hook forward priority 0; policy drop;
    #type filter hook forward priority 0; policy accept;
    iifname "wlan0" oifname "eth0" accept;
    iifname "eth0" oifname "wlan0" ct state related,established accept;

  chain output {
    type filter hook output priority 0; policy accept;

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    #ip saddr oifname "eth0" masquerade
    oifname "eth0" masquerade;

Test Server ( / Firewall

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  set internal_networks_ip4 {
    type ipv4_addr
    flags interval
    elements = {,, }

  chain input {
    type filter hook input priority 0; policy drop;
    #type filter hook input priority 0; policy accept;

    # established/related connections
    ct state established,related accept;

    # loopback interface
    iifname lo accept;

    # icmp (ping)
    iifname "wlan0" icmp type echo-request accept;
    iifname "eth0" ip daddr { } icmp type echo-request accept;

    # open sshd (22) for internal networks only
    tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"

    # open tcp ports: http (80), https (443)
    tcp dport { http, https } accept;

    # open udp ports: domain (53), openvpn (1194)
    udp dport { domain, openvpn } accept;

    # dhcp ports: bootps (67)
    udp dport { bootps } accept;

    # mysql (3306)
    meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";


  chain forward {
    type filter hook forward priority 0; policy drop;
    #type filter hook forward priority 0; policy accept;
    ip saddr @internal_networks_ip4 accept;


  chain output {
    type filter hook output priority 100; policy accept;

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname "wlan0" masquerade;
    oifname "tun0" masquerade;



Wichtig ist IP-Forwarding zu aktivieren - siehe dazu Netzwerk einrichten

# firewall
table ip filter {
  # allow all packets sent by the firewall machine itself
  chain output {
    type filter hook output priority 100; policy accept;

  # allow LAN to firewall, disallow WAN to firewall
  chain input {
    type filter hook input priority 0; policy accept;
    iifname "lan0" accept
    iifname "wan0" drop

  # allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
  chain forward {
    type filter hook forward priority 0; policy drop;
    iifname "lan0" oifname "wan0" accept
    iifname "wan0" oifname "lan0" ct state related,established accept

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname "wan0" masquerade


Routing Temp

#!/usr/sbin/nft -f

flush ruleset

# firewall
table ip filter {
  # allow all packets sent by the firewall machine itself
  chain output {
    type filter hook output priority 100; policy accept;

  # allow LAN to firewall, disallow WAN to firewall
  chain input {
    type filter hook input priority 0; policy accept;
    iifname "eth0" accept
#    iifname "wlan0" drop
    iifname "wlan0" accept

  # allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
  chain forward {
#    type filter hook forward priority 0; policy drop;
    type filter hook forward priority 0; policy accept;
#    iifname "eth0" oifname "wlan0" accept
#    iifname "wlan0" oifname "eth0" ct state related,established accept

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;

    # redirect port 81 to port 80 at
    iif wlan0 tcp dport 81 dnat;

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname "wlan0" masquerade


sudo nft list table inet filter


To check

Zurück zu Ubuntu