Difference between revisions of "Simple ruleset for a workstation"

From nftables wiki
Jump to navigation Jump to search
(Created page with "= fw.basic = <source lang="bash"> table ip filter { chain input { type filter hook input priority 0; # accept traffic originated from us c...")
 
(→‎fw.inet.basic: clarify dual stack)
(One intermediate revision by the same user not shown)
Line 42: Line 42:
= fw.inet.basic =
= fw.inet.basic =


The inet table is available from Linux kernel 3.14 and allow to make an IPv4 and IPv6 table. There is mostly a
The inet table is available from Linux kernel 3.14 and allow to use a dual-stack IPv4/IPv6 table. There is mostly a
single change compared to previous ruleset which is the ''inet'' keyword.
single change compared to previous ruleset which is the ''inet'' keyword.


Line 56: Line 56:
                 ct state established,related accept
                 ct state established,related accept


                 # accept neighbour discovery otherwise connectivity breaks. daddr filter is a workaround to set l3 protocol.
                 # accept neighbour discovery otherwise connectivity breaks
                 ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
                 ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept



Revision as of 12:29, 13 September 2017

fw.basic

table ip filter {
     chain input {
          type filter hook input priority 0;

          # accept traffic originated from us
          ct state established,related accept

          # accept any localhost traffic
          iif lo accept

          # count and drop any other traffic
          counter drop
     }
}

fw6.basic

table ip6 filter {
        chain input {
                 type filter hook input priority 0;

                 # accept any localhost traffic
                 iif lo accept

                 # accept traffic originated from us
                 ct state established,related accept

                 # accept neighbour discovery otherwise connectivity breaks
                 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

                 # count and drop any other traffic
                 counter drop
        }
}

fw.inet.basic

The inet table is available from Linux kernel 3.14 and allow to use a dual-stack IPv4/IPv6 table. There is mostly a single change compared to previous ruleset which is the inet keyword.

table inet filter {
        chain input {
                 type filter hook input priority 0;

                 # accept any localhost traffic
                 iif lo accept

                 # accept traffic originated from us
                 ct state established,related accept

                 # accept neighbour discovery otherwise connectivity breaks
                 ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

                 # count and drop any other traffic
                 counter drop
        }
}