Nftables
Jump to navigation
Jump to search
nftables superseeds iptables and related programs and should be used for new deployments of Linux based systems.
Documentation
Sets
table inet filter {
# adding: nft add element inet filter privileged_hosts { 1.2.3.4 }
# removing: nft delete element inet filter privileged_hosts { 1.2.3.4 }
set privileged_hosts {
type ipv4_addr
flags interval
elements = { 1.2.3.5 }
}
set tcp_ports_always_allowed {
type inet_service
flags interval
elements = { 80, 443 }
}
set tcp_ports_privileged {
type inet_service
flags interval
elements = { 22 }
}
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
ct state invalid drop
# loopback interface
iifname lo accept
iifname lxcbr0 accept
tcp dport @tcp_ports_always_allowed accept
tcp dport @tcp_ports_privileged ip saddr @privileged_hosts accept
tcp dport @tcp_ports_always_allowed ip6 saddr $allow_ip6s accept
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
"flags interval" enables adding multiple elements, like subnets (127.0.0.0/8) or port ranges (8080-8099).