Nftables: Difference between revisions
Jump to navigation
Jump to search
(Created page with "nftables superseeds iptables and related programs and should be used for new deployments of Linux based systems. * [https://wiki.nftables.org/wiki-nftables/index.php/Sets nft...") |
m (→Sets) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
nftables superseeds iptables and related programs and should be used for new deployments of Linux based systems. | nftables superseeds iptables and related programs and should be used for new deployments of Linux based systems. | ||
== Documentation == | |||
* [https://wiki.nftables.org/wiki-nftables/index.php/Sets nftables sets] | * [https://wiki.nftables.org/wiki-nftables/index.php/Sets nftables sets] | ||
* [https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management Simple rule management] | * [https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management Simple rule management] | ||
== Sets == | |||
<code> | |||
table inet filter { | |||
# adding: nft add element inet filter privileged_hosts { 1.2.3.4 } | |||
# removing: nft delete element inet filter privileged_hosts { 1.2.3.4 } | |||
set privileged_hosts { | |||
type ipv4_addr | |||
flags interval | |||
elements = { 1.2.3.5 } | |||
} | |||
set tcp_ports_always_allowed { | |||
type inet_service | |||
flags interval | |||
elements = { 80, 443 } | |||
} | |||
set tcp_ports_privileged { | |||
type inet_service | |||
flags interval | |||
elements = { 22 } | |||
} | |||
chain input { | |||
type filter hook input priority 0; policy drop; | |||
ct state established,related accept | |||
ct state invalid drop | |||
# loopback interface | |||
iifname lo accept | |||
iifname lxcbr0 accept | |||
tcp dport @tcp_ports_always_allowed accept | |||
tcp dport @tcp_ports_privileged ip saddr @privileged_hosts accept | |||
tcp dport @tcp_ports_always_allowed ip6 saddr $allow_ip6s accept | |||
} | |||
chain forward { | |||
type filter hook forward priority 0; policy accept; | |||
} | |||
chain output { | |||
type filter hook output priority 0; policy accept; | |||
} | |||
} | |||
</code> | |||
"flags interval" enables adding multiple elements, like subnets (127.0.0.0/8) or port ranges (8080-8099). | |||
[[Category:Linux]] | [[Category:Linux]] | ||
Latest revision as of 21:36, 16 February 2026
nftables superseeds iptables and related programs and should be used for new deployments of Linux based systems.
Documentation
Sets
table inet filter {
# adding: nft add element inet filter privileged_hosts { 1.2.3.4 }
# removing: nft delete element inet filter privileged_hosts { 1.2.3.4 }
set privileged_hosts {
type ipv4_addr
flags interval
elements = { 1.2.3.5 }
}
set tcp_ports_always_allowed {
type inet_service
flags interval
elements = { 80, 443 }
}
set tcp_ports_privileged {
type inet_service
flags interval
elements = { 22 }
}
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
ct state invalid drop
# loopback interface
iifname lo accept
iifname lxcbr0 accept
tcp dport @tcp_ports_always_allowed accept
tcp dport @tcp_ports_privileged ip saddr @privileged_hosts accept
tcp dport @tcp_ports_always_allowed ip6 saddr $allow_ip6s accept
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
"flags interval" enables adding multiple elements, like subnets (127.0.0.0/8) or port ranges (8080-8099).