[olug] switching from iptables to nftables
Lou Duchez
lou at paprikash.com
Wed Jun 26 09:53:19 CDT 2019
I finally decided to bite the bullet and start playing with nftables.
In theory it'll do all the things iptables will do, but offers
efficiencies that iptables does not. It also incorporates functionality
that, under the iptables paradigm, required using the ipset utility.
One caution: I had more trouble getting my nftables configuration to
actually take effect. Turns out there was some remnant or other of
iptables still lurking in the system, and I decided to cope with that by
uninstalling iptables altogether. So if nftables simply refuses to work
for you, it might be iptables.
Here is a simple firewall config, to open only specific ports to the
world, and to open up some ports only to trusted IPs. First I open
traffic to the world-accessible ports, then I drop any traffic that
doesn't come from a trusted IP, and then finally I open ports that only
trusted IPs should get at.
table ip filter {
# my set of trusted IPs
set MY_TRUSTED_IPS {
type ipv4_addr
flags interval
elements = { 74.1.2.3, 127.0.0.0/8,
155.2.3.0/26, 4.5.6.7 }
}
# my inbound traffic chain -- note that I specify it hooks into
the "input" process
chain MY_INBOUND_TRAFFIC {
type filter hook input priority 0; policy drop;
# the two most basic rules: keep allowing existing
connections, and also allow loopback traffic
ct state established,related accept
iifname "lo" accept
# allow Web traffic, and pings (no more than 2 per second)
tcp dport http accept
icmp type echo-request limit rate 2/second accept
# check if the incoming IP is a trusted IP, and if it's
not, drop whatever traffic
jump untrustedbans
# now that we've weeded out untrusted sources, we can
open up the SSH port
tcp dport 22 accept
}
# my outbound traffic chain -- note that I specify it hooks
into the "output" process
#
# it doesn't do much other than "accept" outbound traffic; it's
there for future use and my love of symmetry
chain MY_OUTBOUND_TRAFFIC {
type filter hook output priority 0; policy accept;
}
# my chain for dealing with untrusted IPs: if the source address
is in the trusted list, return out of this chain,
# otherwise drop the traffic
chain untrustedbans {
ip saddr @MY_TRUSTED_IPS return
drop
}
}
More information about the OLUG
mailing list