nftables les commandes principales du nouveau firewall Linux

nftables est le nouveau firewall du noyau Linux qui va remplacer iptables/Netfilter, voici mes notes personnelles testées sous Debian.

Configuration

Informations générales

root@host:~# systemctl enable nftables.service
root@host:~# /etc/nftables.conf
root@host:~# nft -f /etc/nftables.conf

Les Tables

root@host:~# nft add table inet filter
root@host:~# nft list tables
root@host:~# nft delete table inet filter
root@host:~# nft flush table inet filter

Les Chaines

root@host:~# nft add chain inet <table name> <chain name>
root@host:~# nft list chains
root@host:~# nft delete chain <table name> <chain name>
root@host:~# nft add chain inet filter INPUT { type filter hook input priority 0\; }
root@host:~# nft add chain inet filter FORWARD { type filter hook forward priority 0\; policy drop\; }
root@host:~# nft add chain inet filter OUTPUT { type filter hook output priority 0\; policy drop\; }
root@host:~# nft add chain inet filter my_masquerade '{ type nat hook postrouting priority 100; }'
root@host:~# nft add chain inet filter my_prerouting '{ type nat hook prerouting priority -100; }'

Les Règles

Création

root@host:~# nft add rule inet filter INPUT counter accept
root@host:~# nft add rule inet filter INPUT tcp dport 22 counter
root@host:~# nft add rule inet filter INPUT tcp dport {80, 443} ct state new,established counter accept

Suppression

root@host:~# nft -n -a list ruleset
root@host:~# nft delete rule ip filter INPUT handle 38

Remplacer

root@host:~# nft -n -a list ruleset
root@host:~# nft replace rule ip filter INPUT handle 38 iifname "eth0" ip saddr 192.168.1.12 counter drop

Insert

root@host:~# nft -n -a list ruleset
root@host:~# nft insert rule ip filter INPUT position 17 iifname "eth0" ip saddr { 192.168.1.11, 192.168.1.68, 192.168.1.118 } counter drop

NAT

Création de la table

root@host:~# nft add table ip NAT

Création des Chaines

root@host:~# nft add chain ip NAT my_masquerade '{ type nat hook postrouting priority 100; }'
root@host:~# nft add chain ip NAT my_prerouting '{ type nat hook prerouting priority -100; }'

Règle Masquerading

root@host:~# nft add rule NAT my_masquerade ip daddr != { 192.168.0.0/16 } oifname <interface> masquerade

Prerouting Rule

root@host:~# nft add rule NAT my_prerouting iifname <interface> tcp dport { https } dnat to 192.168.1.10 comment \"Web Server\"
Licence Creative Commons
This website http://shebangthedolphins.net is licensed to the public under a licence Creative Commons Attribution licence.

Contact :