Add instructions to configure nftables firewall

Question

Add instructions to configure nftables firewall

heitorPB opened this issue 4 years ago · 2 comments

The current documentation about prerequisites - firewalls describes how to use IPTables, FirewallD, and ufw. nftables is the "modern" version of IPTables and is not in the guide.

It would be nice to have official instructions for setting nftables up.

Answer 1 · 2020-09-17T15:44:50.000Z

Thanks for the suggestion. Do you feel capable of writing the instructions and submitting a PR?

Answer 2 · 2023-06-28T18:25:03.000Z

The commands I used for nftables are as follows.

NFTables (IPv4)

nft insert rule ip filter INPUT ip saddr 192.168.0.0/16 tcp dport 80 counter accept
nft insert rule ip filter INPUT ip saddr 127.0.0.0/8 tcp dport 53 counter accept
nft insert rule ip filter INPUT ip saddr 127.0.0.0/8 udp dport 53 counter accept
nft insert rule ip filter INPUT ip saddr 192.168.0.0/16 tcp dport 53 counter accept
nft insert rule ip filter INPUT ip saddr 192.168.0.0/16 udp dport 53 counter accept
nft insert rule ip filter INPUT udp sport 67-68 udp dport 67-68 counter accept
nft insert rule ip filter INPUT iifname "lo" tcp dport 4711 counter accept
nft insert rule ip filter INPUT ct state related,established counter accept

If the above commands don't work (no such file or directory), run these, then try again:

nft add table ip filter
nft add chain ip filter INPUT { type filter hook input priority 0 \; }

NFTables (IPv6)

nft insert rule ip6 filter INPUT udp sport 546-547 udp dport 546-547 counter accept
nft insert rule ip6 filter INPUT ct state related,established counter accept

If the above commands don't work (no such file or directory), run these, then try again:

nft add table ip6 filter
nft add chain ip6 filter INPUT { type filter hook input priority 0 \; }