logo rss
Informatique
Accueil
Tutos
Zik
Le groupe
mp3
Autres
Liens
UK Flag En

Mes exemples de fichiers de configuration nftables

Netfilter logo

nftables est le nouvel outil pour gérer le firewall du noyau Linux : Netfilter, il est amené à remplacer iptables. Je poste ici des exemples de configuration sur lesquels je m'appuie.

Configuration

  • OS : Debian 12
  • nftables : 1.0.6

Informations générales

  • Activer le service nftables au démarrage avec la commande systemctl:
root@host:~# systemctl enable nftables.service
  • Fichier de configuration nftables:
root@host:~# /etc/nftables.conf
  • Charger le fichier nftables:
root@host:~# nft -f /etc/nftables.conf
  • Afficher les règles courantes:
root@host:~# nft list ruleset
  • Effacer les règles:
root@host:~# nft flush ruleset
  • Notes :
    • inet inclus les adresses ipv4 et ipv6. On peut utiliser les mots ip pour les adresses ipv4 ou ipv6 pour les adresses ipv6.
    • iif pour input interface et oif pour output interface.
    • La règle log prefix "NFTABLES LOG : " permet de tracer le trafic la traversant dans /var/log/syslog.

SMTP Server

Un fichier de configuration pour un serveur smtp.

#!/usr/sbin/nft -f flush ruleset # ----- IPv4 ----- table ip filter { chain INPUT { type filter hook input priority 0; policy drop; #by default, we drop traffic iif lo accept comment "Accept any localhost traffic" ct state invalid counter drop comment "Drop invalid connections" ct state { established, related } counter accept comment "Accept traffic originated from us" iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback" ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP" iif eth0 ip saddr 10.0.0.10 tcp dport ssh ct state { new, related, established } counter accept comment "Accept ssh from 10.0.0.10" tcp dport { smtp, 465, 143, 993 } ct state { new, related, established } counter accept comment "Accept imap, imaps, smtp protocols" log prefix "INPUT : " #trace dropped traffic (use journalctl --grep=INPUT") counter drop #count and drop } chain FORWARD { type filter hook forward priority 0; policy drop; counter comment "count dropped packets" } chain OUTPUT { type filter hook output priority 0; policy accept; } } # ----- IPv6 ----- table ip6 filter { chain INPUT { type filter hook input priority 0; policy drop; #by default, we drop traffic iif lo accept comment "Accept any localhost traffic" iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback" ct state invalid drop comment "Drop invalid connections" ct state { established, related } accept comment "Accept traffic originated from us" ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6" #ip protocol igmp accept comment "Accept IGMP" tcp dport { smtp, 465, 143, 993 } ct state { new, related, established } counter accept comment "Accept imap, imaps, smtp" counter drop #count and drop } chain FORWARD { type filter hook forward priority 0; policy drop; counter comment "count dropped packets" } chain OUTPUT { type filter hook output priority 0; } }

Routeur

Un fichier de configuration pour un routeur.

#!/usr/sbin/nft -f flush ruleset table ip my_nat { chain my_masquerade { type nat hook postrouting priority 100; policy accept; ip daddr != { 192.168.0.0/16 } oifname "wan" masquerade comment "outgoing NAT" } chain my_prerouting { type nat hook prerouting priority -100; policy accept; iifname "wan" tcp dport { http, https } dnat to 192.168.10.250 comment "Web Redirect" iifname "wan" udp dport 9994 dnat to 192.168.10.251:1194 comment "OpenVPN Redirect" } } table inet filter { chain input { type filter hook input priority 0; policy drop; iif "lo" accept ct state { related, established} accept ct state invalid drop meta l4proto icmp accept ip saddr 192.168.0.0/16 tcp dport { auth, domain, ssh } ct state { new, related, established } accept comment "dns, ntp, ssh" ip saddr 192.168.0.0/16 udp dport { auth, domain } ct state { new, related, established } accept comment "dns, ntp" iifname "wan" jump input_wan iifname "lan" jump input_lan log prefix "INPUT : " #trace dropped traffic (use journalctl --grep=INPUT") } chain input_wan { ip saddr { 46.105.57.169 } tcp dport ssh accept comment "allow external SSH" } chain input_lan { tcp dport ssh accept } chain forward { type filter hook forward priority 0; policy drop; #by default, we drop traffic ct state { related, established } accept ct state invalid drop ip saddr 192.168.0.0/16 tcp dport { http, https } accept comment "accept WEB" iifname { "lan" } oifname "wan" udp dport { domain, ntp } accept comment "DNS" ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 icmp type { echo-reply, echo-request} accept comment "allow icmp" } chain output { type filter hook output priority 0; policy accept; } }
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

adresse mail de contact