nftables le nouveau firewall Linux

nftables est le nouveau firewall Linux qui va remplacer iptables/Netfilter, voici mes notes personnelles testées sous Debian.

Configuration

Informations générales

root@host:~# systemctl enable nftables.service
root@host:~# /etc/nftables.conf
root@host:~# nft -f /etc/nftables.conf

Les Tables

root@host:~# nft add table inet filter
root@host:~# nft list tables
root@host:~# nft delete table inet filter
root@host:~# nft flush table inet filter

Les Chaines

root@host:~# nft add chain inet filter INPUT { type filter hook input priority 0\; }
root@host:~# nft add chain inet filter FORWARD { type filter hook forward priority 0\; policy drop\; }
root@host:~# nft add chain inet filter OUTPUT { type filter hook output priority 0\; policy drop\; }

Les Règles

Création

root@host:~# nft add rule inet filter INPUT counter accept
root@host:~# nft add rule inet filter INPUT tcp dport 22 counter
root@host:~# nft add rule inet filter INPUT tcp dport {80, 443} ct state new,established counter accept

Suppression

root@host:~# nft -n -a list ruleset
root@host:~# nft delete rule ip filter INPUT handle 38

Remplacer

root@host:~# nft -n -a list ruleset
root@host:~# nft replace rule ip filter INPUT handle 38 iifname "eth0" ip saddr 192.168.1.12 counter drop

Insert

root@host:~# nft -n -a list ruleset
root@host:~# nft insert rule ip filter INPUT position 17 iifname "eth0" ip saddr { 192.168.1.11, 192.168.1.68, 192.168.1.118 } counter drop

Exemple de configuration

/etc/nftables.conf

Un exemple de fichier de configuration que j'utilise pour un serveur smtp.

# ----- IPv4 -----
table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy drop; #by default, we drop traffic

                iif lo accept comment "Accept any localhost traffic"
                ct state invalid counter drop comment "Drop invalid connections"
                ct state { established, related } counter accept comment "Accept traffic originated from us"
                iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"

                ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"
		
		iif eth0 ip saddr 10.0.0.10 tcp dport ssh counter accept comment "Accept ssh from 10.0.0.10"
                tcp dport { http, https, smtp, 465, 143, 993 } counter accept comment "Accept http, https, imap, imaps, smtp protocols"
                counter drop #count and drop
        }
        chain FORWARD {
                type filter hook forward priority 0; policy drop;
                counter comment "count dropped packets"
        }
        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }
}

# ----- IPv6 -----
table ip6 filter {
        chain INPUT {
                type filter hook input priority 0; policy drop; #by default, we drop traffic

                iif lo accept comment "Accept any localhost traffic"
                iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
                ct state invalid drop comment "Drop invalid connections"
                ct state established,related accept comment "Accept traffic originated from us"

                ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"
                #ip protocol igmp accept comment "Accept IGMP"

                tcp dport { smtp, 465, 143, 993 } counter accept comment "Accept imap, imaps, smtp"
                counter drop #count and drop
        }
        chain FORWARD {
                type filter hook forward priority 0; policy drop;
                counter comment "count dropped packets"
        }
        chain OUTPUT {
                type filter hook output priority 0;
        }
}
Licence Creative Commons
This website http://shebangthedolphins.net is licensed to the public under a licence Creative Commons Attribution licence.
Contact :