Nftables

From MK Wiki EN
Revision as of 18:59, 19 May 2026 by MkWikiEnSysOp (talk | contribs) (→‎Sets: Formatted properly)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

nftables superseeds iptables and related programs and should be used for new deployments of Linux based systems.

Documentation

Sets

table inet filter {
        # adding:   nft add element inet filter privileged_hosts { 1.2.3.4 }
        # removing: nft delete element inet filter privileged_hosts { 1.2.3.4 }
        set privileged_hosts {
                type ipv4_addr
                flags interval
                elements = { 1.2.3.5 }
        }
        
        set tcp_ports_always_allowed {
                type inet_service
                flags interval
                elements = { 80, 443 }
        }
        
        set tcp_ports_privileged {
                type inet_service
                flags interval
                elements = { 22 }
        }
        
        chain input {
                type filter hook input priority 0; policy drop;
                ct state established,related accept
                ct state invalid drop

                # loopback interface
                iifname lo accept
                iifname lxcbr0 accept

                tcp dport @tcp_ports_always_allowed accept
                tcp dport @tcp_ports_privileged ip saddr @privileged_hosts accept
                tcp dport @tcp_ports_always_allowed ip6 saddr $allow_ip6s accept
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }
        chain output {
                type filter hook output priority 0; policy accept;
        }
}

"flags interval" enables adding multiple elements, like subnets (127.0.0.0/8) or port ranges (8080-8099).

Retrieved from "https://wiki.mkcs.at/wikien/index.php?title=Nftables&oldid=495"