Simple ruleset for a server: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(add comment regarding ICMPv6 (per Thomas Landauer))
(→‎nftables.conf: missing closing curly brace)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Here's a very basic example of the nftables.conf file you might use on a web server.  In this example, we have the option to block off all incoming traffic from the server except from "safe" IP ranges. This is handy if your server is behind CloudFlare, Sucuri, or other similar traffic filtering services.
Here's a very basic example for a web server, you can load the ruleset file with ''nft -f''.
 
'''Note:''' Initially, this conf allows all inbound traffic until you comment/uncomment the "From approved IP ranges only" section.


= nftables.conf =
= nftables.conf =


<source lang="bash">
<syntaxhighlight lang="bash">
#!/usr/sbin/nft -f
flush ruleset                                                                   
                                                                               
table inet firewall {
                                                                               
    chain inbound_ipv4 {
        # accepting ping (icmp-echo-request) for diagnostic purposes.
        # However, it also lets probes discover this host is alive.
        # This sample accepts them within a certain rate limit:
        #
        # icmp type echo-request limit rate 5/second accept     
    }


flush ruleset
    chain inbound_ipv6 {                                                       
 
        # accept neighbour discovery otherwise connectivity breaks
# List all IPs and IP ranges of your traffic filtering proxy source.
        #
define SAFE_TRAFFIC_IPS = {
        icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
    x.x.x.x/xx,
                                                                               
    x.x.x.x/xx,
        # accepting ping (icmpv6-echo-request) for diagnostic purposes.
    x.x.x.x,
        # However, it also lets probes discover this host is alive.
    x.x.x.x
        # This sample accepts them within a certain rate limit:
}
        #
 
        # icmpv6 type echo-request limit rate 5/second accept
table inet firewall {
    }


     chain inbound {
     chain inbound {                                                            


    # By default, drop all traffic unless it meets a filter
        # By default, drop all traffic unless it meets a filter
    # criteria specified by the rules that follow below.
        # criteria specified by the rules that follow below.
         type filter hook input priority 0; policy drop;
         type filter hook input priority 0; policy drop;


         # Allow traffic from established and related packets.
         # Allow traffic from established and related packets, drop invalid
         ct state established,related accept
         ct state vmap { established : accept, related : accept, invalid : drop }
 
        # Drop invalid packets.
        ct state invalid drop


         # Allow loopback traffic.
         # Allow loopback traffic.
         iifname lo accept
         iifname lo accept


         # Allow all ICMP and IGMP traffic, but enforce a rate limit
         # Jump to chain according to layer 3 protocol using a verdict map
        # to help prevent some types of flood attacks.
         meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
         ip protocol icmp limit rate 4/second accept
        # Allowing ICMPv6 is mandatory for IPv6 to work
        ip6 nexthdr ipv6-icmp limit rate 4/second accept
        ip protocol igmp limit rate 4/second accept
 
        # Allow SSH on port 22.
        tcp dport 22 accept


         # Allow HTTP(S).
         # Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443
         # -- From anywhere
         # for IPv4 and IPv6.
         tcp dport { http, https } accept
         tcp dport { 22, 80, 443} accept
        udp dport { http, https } accept
        # -- From approved IP ranges only
        # tcp dport { http, https } ip saddr $SAFE_TRAFFIC_IPS accept
        # udp dport { http, https } ip saddr $SAFE_TRAFFIC_IPS accept
 
        # Uncomment to allow incoming traffic on other ports.
        # -- Allow Jekyll dev traffic on port 4000.
        # tcp dport 4000 accept
        # -- Allow Hugo dev traffic on port 1313.
        # tcp dport 1313 accept


         # Uncomment to enable logging of denied inbound traffic
         # Uncomment to enable logging of denied inbound traffic
         # log prefix "[nftables] Inbound Denied: " flags all counter drop
         # log prefix "[nftables] Inbound Denied: " counter drop
 
     }                                                                          
     }
                                                                               
 
     chain forward {                                                            
     chain forward {
         # Drop everything (assumes this device is not a router)                
 
         type filter hook forward priority 0; policy drop;                      
         # Drop everything (assumes this device is not a router)
     }                                                                          
         type filter hook forward priority 0; policy drop;
                                                                               
 
     # no need to define output chain, default policy is accept if undefined.
        # Uncomment to enable logging of denied forwards
        # log prefix "[nftables] Forward Denied: " flags all counter drop
 
     }
 
     chain outbound {
 
        # Allow all outbound traffic
        type filter hook output priority 0; policy accept;
 
    }
 
}
}
</source>
</syntaxhighlight>

Latest revision as of 18:34, 31 January 2022

Here's a very basic example for a web server, you can load the ruleset file with nft -f.

nftables.conf

flush ruleset                                                                    
                                                                                 
table inet firewall {
                                                                                 
    chain inbound_ipv4 {
        # accepting ping (icmp-echo-request) for diagnostic purposes.
        # However, it also lets probes discover this host is alive.
        # This sample accepts them within a certain rate limit:
        #
        # icmp type echo-request limit rate 5/second accept      
    }

    chain inbound_ipv6 {                                                         
        # accept neighbour discovery otherwise connectivity breaks
        #
        icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
                                                                                 
        # accepting ping (icmpv6-echo-request) for diagnostic purposes.
        # However, it also lets probes discover this host is alive.
        # This sample accepts them within a certain rate limit:
        #
        # icmpv6 type echo-request limit rate 5/second accept
    }

    chain inbound {                                                              

        # By default, drop all traffic unless it meets a filter
        # criteria specified by the rules that follow below.
        type filter hook input priority 0; policy drop;

        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop } 

        # Allow loopback traffic.
        iifname lo accept

        # Jump to chain according to layer 3 protocol using a verdict map
        meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }

        # Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443
        # for IPv4 and IPv6.
        tcp dport { 22, 80, 443} accept

        # Uncomment to enable logging of denied inbound traffic
        # log prefix "[nftables] Inbound Denied: " counter drop
    }                                                                            
                                                                                 
    chain forward {                                                              
        # Drop everything (assumes this device is not a router)                  
        type filter hook forward priority 0; policy drop;                        
    }                                                                            
                                                                                 
    # no need to define output chain, default policy is accept if undefined.
}