nftables wiki - User contributions [en]

Simple ruleset for a home router

2021-12-08T22:53:28Z

Hauptmann: Pages using deprecated source tags

The following example rulesets have been tested with Linux kernel 4.19 and nftables 1.0.0.

Before you configure your ruleset policy, do not forget to:

<syntaxhighlight lang="bash">
echo 1 > /proc/sys/net/ipv4/ip_forward
</syntaxhighlight>

to enable IPv4 forwarding in your router or enable it through /etc/sysctl.conf for persistency

= Simple router using ppp interface =

This example shows the configuration of an IPv4-only home router using a ppp interface to go out to the Internet.

<syntaxhighlight lang="bash">
flush ruleset

define DEV_PRIVATE = eth1
define DEV_WORLD = ppp0
define NET_PRIVATE = 192.168.0.0/16

table ip global {

chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport ssh accept
}

chain inbound_private {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP, DNS and SSH from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
}
}
</syntaxhighlight>

= Router with LAN and WLAN segments using VLAN interface to the Internet =

A similar example with a Wireless LAN network segment and using a VLAN device to go out to the Internet

<syntaxhighlight lang="bash">
flush ruleset

define DEV_LAN = eth1
define DEV_WLAN = wlan0
define DEV_WORLD = eth0.20
# LAN is 192.168.2.0/24 and WLAN is 192.168.3.0/24, hence 192.168.2.0/23 contains both network segments
define NET_PRIVATE = 192.168.2.0/23

table ip global {
chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport 22 accept
}

chain inbound_private_lan {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP, DNS and SSH from the wired private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound_private_wlan {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP and DNS from the private wireless network
ip protocol . th dport vmap { udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_LAN : jump inbound_private_lan, $DEV_WLAN : jump inbound_private_wlan }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet: wlan to lan and lan to wlan not allowed
meta iifname . meta oifname { $DEV_LAN . $DEV_WORLD, $DEV_WLAN . $DEV_WORLD, $DEV_WORLD . $DEV_LAN, $DEV_WORLD . $DEV_WLAN } accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE meta oifname $DEV_WORLD counter masquerade
}
}
</syntaxhighlight>

Simple ruleset for a server

2021-12-08T22:52:23Z

Hauptmann: Pages using deprecated source tags

Here's a very basic example for a web server, you can load the ruleset file with ''nft -f''.

= nftables.conf =

<syntaxhighlight lang="bash">
flush ruleset

table inet firewall {

chain inbound_ipv4 {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept
}

chain inbound_ipv6 {
# accept neighbour discovery otherwise connectivity breaks
#
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

# accepting ping (icmpv6-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmpv6 type echo-request limit rate 5/second accept
}

chain inbound {

# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# Allow loopback traffic.
iifname lo accept

# Jump to chain according to layer 3 protocol using a verdict map
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }

# Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443
# for IPv4 and IPv6.
tcp dport { 22, 80, 443} accept

# Uncomment to enable logging of denied inbound traffic
# log prefix "[nftables] Inbound Denied: " counter drop
}

chain forward {
# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;
}

# no need to define output chain, default policy is accept if undefined.
</syntaxhighlight>

Simple ruleset for a workstation

2021-12-08T22:51:34Z

Hauptmann: Pages using deprecated source tags

A very simple set of rules that allows you to initiate communications from your workstation to the Internet but restricts any communication initiation to your workstation (that was not initiated by you).

You can load this file with nft -f.

= fw.basic =

For IPv4 only workstation.

<syntaxhighlight lang="bash">
flush ruleset

table ip filter {
chain input {
type filter hook input priority 0; policy drop;

# accept traffic originated from us
ct state established,related accept

# accept any localhost traffic
iif lo accept
}
}
</syntaxhighlight>

= fw6.basic =

For IPv6 only workstation.

<syntaxhighlight lang="bash">
flush ruleset

table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
}
}
</syntaxhighlight>

= fw.inet.basic =

For dual-stack IPv4/IPv6 workstation.

<syntaxhighlight lang="bash">
flush ruleset

table inet filter {
chain input {
type filter hook input priority 0; policy drop;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise IPv6 connectivity breaks
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

}
}
</syntaxhighlight>

Simple ruleset for a home router

2021-12-08T22:45:43Z

Hauptmann: /* Router with LAN and WLAN segments using VLAN interface to the Internet */ counter is dup

The following example rulesets have been tested with Linux kernel 4.19 and nftables 1.0.0.

Before you configure your ruleset policy, do not forget to:

<source lang="bash">
echo 1 > /proc/sys/net/ipv4/ip_forward
</source>

to enable IPv4 forwarding in your router or enable it through /etc/sysctl.conf for persistency

= Simple router using ppp interface =

This example shows the configuration of an IPv4-only home router using a ppp interface to go out to the Internet.

<source lang="bash">
flush ruleset

define DEV_PRIVATE = eth1
define DEV_WORLD = ppp0
define NET_PRIVATE = 192.168.0.0/16

table ip global {

chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport ssh accept
}

chain inbound_private {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP, DNS and SSH from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
}
}
</source>

= Router with LAN and WLAN segments using VLAN interface to the Internet =

A similar example with a Wireless LAN network segment and using a VLAN device to go out to the Internet

<source lang="bash">
flush ruleset

define DEV_LAN = eth1
define DEV_WLAN = wlan0
define DEV_WORLD = eth0.20
# LAN is 192.168.2.0/24 and WLAN is 192.168.3.0/24, hence 192.168.2.0/23 contains both network segments
define NET_PRIVATE = 192.168.2.0/23

table ip global {
chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport 22 accept
}

chain inbound_private_lan {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP, DNS and SSH from the wired private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound_private_wlan {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP and DNS from the private wireless network
ip protocol . th dport vmap { udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_LAN : jump inbound_private_lan, $DEV_WLAN : jump inbound_private_wlan }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet: wlan to lan and lan to wlan not allowed
meta iifname . meta oifname { $DEV_LAN . $DEV_WORLD, $DEV_WLAN . $DEV_WORLD, $DEV_WORLD . $DEV_LAN, $DEV_WORLD . $DEV_WLAN } accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE meta oifname $DEV_WORLD counter masquerade
}
}
</source>

Simple ruleset for a home router

2021-09-06T21:36:08Z

Hauptmann: getestet mit Kernel 4.19 und nftables 1.0.0

The following example rulesets have been tested with Linux kernel 4.19 and nftables 1.0.0.

Before you configure your ruleset policy, do not forget to:

<source lang="bash">
echo 1 > /proc/sys/net/ipv4/ip_forward
</source>

to enable IPv4 forwarding in your router or enable it through /etc/sysctl.conf for persistency

= Simple router using ppp interface =

This example shows the configuration of an IPv4-only home router using a ppp interface to go out to the Internet.

<source lang="bash">
flush ruleset

define DEV_PRIVATE = eth1
define DEV_WORLD = ppp0
define NET_PRIVATE = 192.168.0.0/16

table ip global {

chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport ssh accept
}

chain inbound_private {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP, DNS and SSH from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
}
}
</source>

= Router with LAN and WLAN segments using VLAN interface to the Internet =

A similar example with a Wireless LAN network segment and using a VLAN device to go out to the Internet

<source lang="bash">
flush ruleset

define DEV_LAN = eth1
define DEV_WLAN = wlan0
define DEV_WORLD = eth0.20
# LAN is 192.168.2.0/24 and WLAN is 192.168.3.0/24, hence 192.168.2.0/23 contains both network segments
define NET_PRIVATE = 192.168.2.0/23

table ip global {
chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport 22 accept
}

chain inbound_private_lan {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP, DNS and SSH from the wired private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound_private_wlan {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP and DNS from the private wireless network
ip protocol . th dport vmap { udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_LAN : jump inbound_private_lan, $DEV_WLAN : jump inbound_private_wlan }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet: wlan to lan and lan to wlan not allowed
meta iifname . meta oifname { $DEV_LAN . $DEV_WORLD, $DEV_WLAN . $DEV_WORLD, $DEV_WORLD . $DEV_LAN, $DEV_WORLD . $DEV_WLAN } accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE counter oifname $DEV_WORLD counter masquerade
}
}
</source>

Simple ruleset for a home router

2021-09-06T21:32:34Z

Hauptmann: /* Router with LAN and WLAN segments using VLAN interface to the Internet */ ein Kommentar

Before you configure your ruleset policy, do not forget to:

<source lang="bash">
echo 1 > /proc/sys/net/ipv4/ip_forward
</source>

to enable IPv4 forwarding in your router or enable it through /etc/sysctl.conf for persistency

= Simple router using ppp interface =

This example shows the configuration of an IPv4-only home router using a ppp interface to go out to the Internet.

<source lang="bash">
flush ruleset

define DEV_PRIVATE = eth1
define DEV_WORLD = ppp0
define NET_PRIVATE = 192.168.0.0/16

table ip global {

chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport ssh accept
}

chain inbound_private {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP, DNS and SSH from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
}
}
</source>

= Router with LAN and WLAN segments using VLAN interface to the Internet =

A similar example with a Wireless LAN network segment and using a VLAN device to go out to the Internet

<source lang="bash">
flush ruleset

define DEV_LAN = eth1
define DEV_WLAN = wlan0
define DEV_WORLD = eth0.20
# LAN is 192.168.2.0/24 and WLAN is 192.168.3.0/24, hence 192.168.2.0/23 contains both network segments
define NET_PRIVATE = 192.168.2.0/23

table ip global {
chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport 22 accept
}

chain inbound_private_lan {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP, DNS and SSH from the wired private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound_private_wlan {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP and DNS from the private wireless network
ip protocol . th dport vmap { udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_LAN : jump inbound_private_lan, $DEV_WLAN : jump inbound_private_wlan }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet: wlan to lan and lan to wlan not allowed
meta iifname . meta oifname { $DEV_LAN . $DEV_WORLD, $DEV_WLAN . $DEV_WORLD, $DEV_WORLD . $DEV_LAN, $DEV_WORLD . $DEV_WLAN } accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE counter oifname $DEV_WORLD counter masquerade
}
}
</source>

Simple ruleset for a home router

2021-09-06T21:26:57Z

Hauptmann: add another example with WLAN

Before you configure your ruleset policy, do not forget to:

<source lang="bash">
echo 1 > /proc/sys/net/ipv4/ip_forward
</source>

to enable IPv4 forwarding in your router or enable it through /etc/sysctl.conf for persistency

= Simple router using ppp interface =

This example shows the configuration of an IPv4-only home router using a ppp interface to go out to the Internet.

<source lang="bash">
flush ruleset

define DEV_PRIVATE = eth1
define DEV_WORLD = ppp0
define NET_PRIVATE = 192.168.0.0/16

table ip global {

chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport ssh accept
}

chain inbound_private {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP, DNS and SSH from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
}
}
</source>

= Router with LAN and WLAN segments using VLAN interface to the Internet =

<source lang="bash">
flush ruleset

define DEV_LAN = eth1
define DEV_WLAN = wlan0
define DEV_WORLD = eth0.20
define NET_PRIVATE = 192.168.2.0/23

table ip global {
chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport 22 accept
}

chain inbound_private {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP, DNS and SSH from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_LAN : jump inbound_private, $DEV_WLAN : jump inbound_private }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet: wlan to lan and lan to wlan not allowed
meta iifname . meta oifname { $DEV_LAN . $DEV_WORLD, $DEV_WLAN . $DEV_WORLD, $DEV_WORLD . $DEV_LAN, $DEV_WORLD . $DEV_WLAN } accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE counter oifname $DEV_WORLD counter masquerade
}
}
</source>

Simple ruleset for a server

2021-08-11T07:33:13Z

Hauptmann: remove burst, not required

Here's a very basic example for a web server, you can load the ruleset file with ''nft -f''.

= nftables.conf =

<source lang="bash">
flush ruleset

table inet firewall {

chain inbound_ipv4 {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept
}

chain inbound_ipv6 {
# accept neighbour discovery otherwise connectivity breaks
#
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

# accepting ping (icmpv6-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmpv6 type echo-request limit rate 5/second accept
}

chain inbound {

# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# Allow loopback traffic.
iifname lo accept

# Jump to chain according to layer 3 protocol using a verdict map
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }

# Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443
# for IPv4 and IPv6.
tcp dport { 22, 80, 443} accept

# Uncomment to enable logging of denied inbound traffic
# log prefix "[nftables] Inbound Denied: " counter drop
}

chain forward {
# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;
}

# no need to define output chain, default policy is accept if undefined.
</source>

Simple ruleset for a home router

2021-08-11T06:40:53Z

Hauptmann: ip_forward sysctl

This example shows the configuration of an IPv4-only home router using a ppp interface to go out to the Internet.

<source lang="bash">
flush ruleset

define DEV_PRIVATE = eth1
define DEV_WORLD = ppp0
define NET_PRIVATE = 192.168.0.0/16

table ip filter {

chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport ssh accept
}

chain inbound_private {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP, DNS and SSH from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
}
}
</source>

Do not forget to:

<source lang="bash">
echo 1 > /proc/sys/net/ipv4/ip_forward
</source>

to enable IPv4 forwarding in your router or enable it through /etc/sysctl.conf for persistency

Simple ruleset for a home router

2021-08-11T06:38:18Z

Hauptmann: remove IPSec rules

Simple ruleset for a home router

2021-08-11T06:30:22Z

Hauptmann: dhcp

This example shows the configuration of an IPv4-only home router using a ppp interface to go out to the Internet.

<source lang="bash">
flush ruleset

define DEV_PRIVATE = eth1
define DEV_WORLD = ppp0
define NET_PRIVATE = 192.168.0.0/16

table ip filter {

chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow IPSec
udp dport 500 accept
ip protocol { esp, ah } accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport ssh accept
}

chain inbound_private {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow DHCP, DNS and SSH from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
}
}
</source>

Simple ruleset for a home router

2021-08-11T06:26:27Z

Hauptmann: missing Klammer

This example shows the configuration of an IPv4-only home router using a ppp interface to go out to the Internet.

<source lang="bash">
flush ruleset

define DEV_PRIVATE = eth1
define DEV_WORLD = ppp0
define NET_PRIVATE = 192.168.0.0/16

table ip filter {

chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow IPSec
udp dport 500 accept
ip protocol { esp, ah } accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport ssh accept
}

chain inbound_private {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow SSH and DNS from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept }
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
}
}
</source>

Simple ruleset for a home router

2021-08-11T06:25:04Z

Hauptmann: update

This example shows the configuration of an IPv4-only home router using a ppp interface to go out to the Internet.

<source lang="bash">
flush ruleset

define DEV_PRIVATE = eth1
define DEV_WORLD = ppp0
define NET_PRIVATE = 192.168.0.0/16

table ip filter {

chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second accept

# allow IPSec
udp dport 500 accept
ip protocol { esp, ah } accept

# allow SSH connections from some well-known internet host
ip saddr 81.209.165.42 tcp dport ssh accept
}

chain inbound_private {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept

# allow SSH and DNS from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept }
}

chain inbound {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
}

</source>

Simple ruleset for a home router

2021-08-11T06:17:56Z

Hauptmann: example

<source lang="bash">
flush ruleset

define DEV_PRIVATE = eth1
define DEV_WORLD = ppp0
define NET_PRIVATE = 192.168.0.0/16

table ip filter {

chain inbound_world {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second burst 5 packets accept

# allow IPSec
udp dport 500 accept
ip protocol { esp, ah } accept

# allow SSH connections from the private network and from some
# well-known internet hosts
ip saddr 81.209.165.42 tcp dport ssh accept
}

chain inbound_private {
# allow SSH and DNS from the private network
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept }
}

chain input {
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }

# the rest is dropped by the above policy
}

chain forward {
type filter hook forward priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept

# the rest is dropped by the above policy
}

chain postrouting {
type nat hook postrouting priority 100; policy accept;

# masquerade private IP addresses
ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
}

</source>

Main Page

2021-08-11T06:15:17Z

Hauptmann: /* Examples */

Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.

If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.

= [[News]] =

= Introduction =
* [[What is nftables?]]
* [[How to obtain help/support]]

= Reference =
* [https://www.netfilter.org/projects/nftables/manpage.html man nft - netfilter website]
* [https://www.mankier.com/8/nft man nft - mankier.com]
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]
* [[Netfilter hooks]] and nftables integration with existing Netfilter components
* [[nftables families|Understanding nftables families]]
* [[Data_types|Data types]]
* [[Connection_Tracking_System|Connection tracking system (conntrack)]], used for stateful firewalling and NAT
* [[Troubleshooting|Troubleshooting and FAQ]]
* [[Further_documentation|Additional documentation]]

= Installing nftables =
* [[nftables from distributions|Using nftables from distributions]]
* [[Building and installing nftables from sources]]

= Upgrading from xtables to nftables =
* [[Legacy xtables tools]]
* [[Moving from iptables to nftables]]
* [[Moving from ipset to nftables]]

= Basic operation =
* [[Configuring tables]]
* [[Configuring chains]]
* [[Simple rule management]]
* [[Atomic rule replacement]]
* [[Error reporting from the command line]]
* [[Building rules through expressions]]
* [[Operations at ruleset level]]
* [[Monitoring ruleset updates]]
* [[Scripting]]
* [[Ruleset debug/tracing]]
* [[Output text modifiers]]

= Expressions: Matching packets =
* [[Matching packet metainformation]]
* [[Matching packet headers]]
* [[Matching connection tracking stateful metainformation]]
* [[Matching routing information]]
* [[Rate limiting matchings]]

= Statements: Acting on packet matches =
* [[Accepting and dropping packets]]
* [[Rejecting traffic]]
* [[Jumping to chain]]
* [[Counters]]
* [[Logging traffic]]
* [[Performing Network Address Translation (NAT)]]
* [[Setting packet metainformation]]
* [[Setting packet connection tracking metainformation]]
* [[Mangling packet headers]] (including stateless NAT)
* [[Duplicating packets]]
* [[Load balancing]]
* [[Queueing to userspace]]

= Advanced data structures for performance packet classification =
* [[Intervals]]
* [[Concatenations]]
* [[Math operations]]
* [[Stateful objects]]
** [[Counters]]
** [[Quotas]]
** [[Limits]]
** [[Connlimits]] (''ct count'')
* Other objects
** [[Conntrack helpers]] (''ct helper'', Layer 7 ALG)
** [[Ct_timeout|Conntrack timeout policies]] (''ct timeout'')
** [[Ct_expectation|Conntrack expectations]] (''ct expectation'')
** [[Synproxy]]
** [[Secmark|Secmarks]]
* Generic set infrastructure
** [[Sets]]
** [[Element timeouts]]
** [[Updating sets from the packet path]]
** [[Maps]]
** [[Verdict_Maps_(vmaps) | Verdict maps]]
** [[Meters|Metering]] (formerly known as flow tables before nftables 0.8.1)
* [[Flowtables]] (the fastpath network stack bypass)

= Examples =
* [[Simple ruleset for a workstation]]
* [[Simple ruleset for a server]]
* [[Simple ruleset for a home router]]
* [[Bridge filtering]]
* [[Multiple NATs using nftables maps]]
* [[Classic perimetral firewall example]]
* [[Port knocking example]]
* [[Classification to tc structure example]]
* [[Using configuration management systems]] (like puppet, ansible, etc)
* [[GeoIP matching]]

= Development =

Check [[Portal:DeveloperDocs|Portal:DeveloperDocs - documentation for netfilter developers]].

Some hints on the general development progress:

* [[List of updates since Linux kernel 3.13]]
* [[List of updates in the nft command line tool]]
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]
* [[List of available translations via iptables-translate tool]]

= External links =

Watch some videos:

* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.
* Watch [https://www.youtube.com/watch?v=CaYp0d2wiuU#t=1m47s The ultimate packet classifier for GNU/Linux], thanks to the FSFE for paying my trip to Barcelona and for recommending me as speaker to the KDE Spanish branch.
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]
* Watch [https://www.youtube.com/watch?v=0wQfSfDVN94 NLUUG - Goodbye iptables, Hello nftables]
* Watch [https://www.youtube.com/watch?v=Uf5ULkEWPL0 LCA2018 - nftables from a user perspective]

Watch videos to track updates:

* Watch [https://www.youtube.com/watch?v=qXVOA2MKA1s Netdev 2.1 - Netfilter mini-workshop (2017)]
* Watch [https://youtu.be/iCj10vEKPrw Netdev 2.2 - Netf‌ilter mini-workshop (2018)]
* Watch [https://youtu.be/0hqfzp6tpZo Netdev 0x12 - Netf‌ilter mini-workshop (2019)]
* Watch [https://www.youtube.com/watch?v=GqGGo4svj7s&feature=youtu.be Netdev 0x14 - Netfilter mini-Workshop (2020)]

Additional documentations and articles:

* Tutorial [https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/ Extending nftables by Xiang Gao]
* Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables]
* Article [https://ral-arturo.org/2020/11/22/python-nftables-tutorial.html How to use nftables from python] and git repository [https://github.com/aborrero/python-nftables-tutorial python-nftables-tutorial.git]

= Thanks =

To the NLnet foundation for initial sponsorship of this HOWTO:

[https://nlnet.nl https://nlnet.nl/image/logo.gif]

To Eric Leblond, for boostrapping the [https://home.regit.org/netfilter-en/nftables-quick-howto/ Nftables quick howto] in 2013.

Simple ruleset for a server

2021-08-11T05:25:29Z

Hauptmann: /* nftables.conf */ no echo-request in neighbour discovery rule

Here's a very basic example for a web server, you can load the ruleset file with ''nft -f''.

= nftables.conf =

<source lang="bash">
flush ruleset

table inet firewall {

chain inbound_ipv4 {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second burst 5 packets accept
}

chain inbound_ipv6 {
# accept neighbour discovery otherwise connectivity breaks
#
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

# accepting ping (icmpv6-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmpv6 type echo-request limit rate 5/second burst 5 packets accept
}

chain inbound {

# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# Allow loopback traffic.
iifname lo accept

# Jump to chain according to layer 3 protocol using a verdict map
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }

# Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443
# for IPv4 and IPv6.
tcp dport { 22, 80, 443} accept

# Uncomment to enable logging of denied inbound traffic
# log prefix "[nftables] Inbound Denied: " counter drop
}

chain forward {
# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;
}

# no need to define output chain, default policy is accept if undefined.
</source>

Simple ruleset for a server

2021-08-11T05:23:36Z

Hauptmann: update

Here's a very basic example for a web server, you can load the ruleset file with ''nft -f''.

= nftables.conf =

<source lang="bash">
flush ruleset

table inet firewall {

chain inbound_ipv4 {
# accepting ping (icmp-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second burst 5 packets accept
}

chain inbound_ipv6 {
# accept neighbour discovery otherwise connectivity breaks
#
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

# accepting ping (icmpv6-echo-request) for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmpv6 type echo-request limit rate 5/second burst 5 packets accept
}

chain inbound {

# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }

# Allow loopback traffic.
iifname lo accept

# Jump to chain according to layer 3 protocol using a verdict map
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }

# Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443
# for IPv4 and IPv6.
tcp dport { 22, 80, 443} accept

# Uncomment to enable logging of denied inbound traffic
# log prefix "[nftables] Inbound Denied: " counter drop
}

chain forward {
# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;
}

# no need to define output chain, default policy is accept if undefined.
</source>

Simple ruleset for a workstation

2021-08-11T05:14:56Z

Hauptmann: add flush ruleset

A very simple set of rules that allows you to initiate communications from your workstation to the Internet but restricts any communication initiation to your workstation (that was not initiated by you).

You can load this file with nft -f.

= fw.basic =

For IPv4 only workstation.

<source lang="bash">
flush ruleset

table ip filter {
chain input {
type filter hook input priority 0; policy drop;

# accept traffic originated from us
ct state established,related accept

# accept any localhost traffic
iif lo accept
}
}
</source>

= fw6.basic =

For IPv6 only workstation.

<source lang="bash">
flush ruleset

table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
}
}
</source>

= fw.inet.basic =

For dual-stack IPv4/IPv6 workstation.

<source lang="bash">
flush ruleset

table inet filter {
chain input {
type filter hook input priority 0; policy drop;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise IPv6 connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

}
}
</source>

Simple ruleset for a workstation

2021-08-11T05:12:51Z

Hauptmann: use policy and more comments

A very simple set of rules that allows you to initiate communications from your workstation to the Internet but restricts any communication initiation to your workstation (that was not initiated by you).

= fw.basic =

For IPv4 only workstation.

<source lang="bash">
table ip filter {
chain input {
type filter hook input priority 0; policy drop;

# accept traffic originated from us
ct state established,related accept

# accept any localhost traffic
iif lo accept
}
}
</source>

= fw6.basic =

For IPv6 only workstation.

<source lang="bash">
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
}
}
</source>

= fw.inet.basic =

For dual-stack IPv4/IPv6 workstation.

<source lang="bash">
table inet filter {
chain input {
type filter hook input priority 0; policy drop;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise IPv6 connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

}
}
</source>

Simple ruleset for a workstation

2021-08-11T05:08:15Z

Hauptmann:

= fw.basic =

For IPv4 only workstation.

<source lang="bash">
table ip filter {
chain input {
type filter hook input priority 0;

# accept traffic originated from us
ct state established,related accept

# accept any localhost traffic
iif lo accept

# count and drop any other traffic
counter drop
}
}
</source>

= fw6.basic =

For IPv6 only workstation.

<source lang="bash">
table ip6 filter {
chain input {
type filter hook input priority 0;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

# count and drop any other traffic
counter drop
}
}
</source>

= fw.inet.basic =

For dual-stack IPv4/IPv6 workstation.

<source lang="bash">
table inet filter {
chain input {
type filter hook input priority 0;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise IPv6 connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

# count and drop any other traffic
counter drop
}
}
</source>

Simple ruleset for a workstation

2021-08-11T04:42:20Z

Hauptmann: /* fw.basic */ not here

= fw.basic =

<source lang="bash">
table ip filter {
chain input {
type filter hook input priority 0;

# accept traffic originated from us
ct state established,related accept

# accept any localhost traffic
iif lo accept

# count and drop any other traffic
counter drop
}
}
</source>

= fw6.basic =

<source lang="bash">
table ip6 filter {
chain input {
type filter hook input priority 0;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

# count and drop any other traffic
counter drop
}
}
</source>

= fw.inet.basic =

The inet table is available from Linux kernel 3.14 and allow to use a dual-stack IPv4/IPv6 table. There is mostly a
single change compared to previous ruleset which is the ''inet'' keyword.

<source lang="bash">
table inet filter {
chain input {
type filter hook input priority 0;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise connectivity breaks
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

# count and drop any other traffic
counter drop
}
}
</source>

Simple ruleset for a workstation

2021-08-11T04:41:07Z

Hauptmann: /* fw.basic */

= fw.basic =

<source lang="bash">
table ip filter {
chain input {
type filter hook input priority 0;

# accept traffic originated from us
ct state established,related accept

# accept any localhost traffic
iif lo accept

# accepting ping (icmp-echo-request) can be nice for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
#
# icmp type echo-request limit rate 5/second packets accept

# examples for opening service-specific ports:
# ct state new tcp dport 22 accept
# ct state new tcp dport { 80,443 } accept

# count and drop any other traffic
counter drop
}
}
</source>

= fw6.basic =

<source lang="bash">
table ip6 filter {
chain input {
type filter hook input priority 0;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

# count and drop any other traffic
counter drop
}
}
</source>

= fw.inet.basic =

The inet table is available from Linux kernel 3.14 and allow to use a dual-stack IPv4/IPv6 table. There is mostly a
single change compared to previous ruleset which is the ''inet'' keyword.

<source lang="bash">
table inet filter {
chain input {
type filter hook input priority 0;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise connectivity breaks
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

# count and drop any other traffic
counter drop
}
}
</source>

Simple ruleset for a workstation

2021-08-11T04:39:25Z

Hauptmann: /* fw.basic */ von https://github.com/QueuingKoala/netfilter-samples/

= fw.basic =

<source lang="bash">
table ip filter {
chain input {
type filter hook input priority 0;

# accept traffic originated from us
ct state established,related accept

# accept any localhost traffic
iif lo accept

# Accepting ping (icmp-echo-request) can be nice for diagnostic purposes.
# However, it also lets probes discover this host is alive.
# This sample accepts them within a certain rate limit:
# icmp type echo-request limit rate 5/second packets accept

# count and drop any other traffic
counter drop
}
}
</source>

= fw6.basic =

<source lang="bash">
table ip6 filter {
chain input {
type filter hook input priority 0;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

# count and drop any other traffic
counter drop
}
}
</source>

= fw.inet.basic =

The inet table is available from Linux kernel 3.14 and allow to use a dual-stack IPv4/IPv6 table. There is mostly a
single change compared to previous ruleset which is the ''inet'' keyword.

<source lang="bash">
table inet filter {
chain input {
type filter hook input priority 0;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# accept neighbour discovery otherwise connectivity breaks
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

# count and drop any other traffic
counter drop
}
}
</source>