nftables notes

so iptables is getting replaced

nftables basics

no default anythings

tables (per address family) hold chains hold rules

1nft add table inet table_name
2nft list tables
3
4nft add chain inet table_name chain_name
5nft list table inet table_name

chains are triggered by hooks or other chains, all 5 chains available for ip / ip6 / inet / bridge

chains have types (with self explanatory names): filter, nat, route

1PREROUTING ─┬──── FORWARD ────┬─ POSTROUTING
2            │                 │
3      INPUT │                 │ OUTPUT
4            │                 │
5            └─ local process ─┘

1nft add chain inet table_name chain_name '{ type filter hook input priority 0 policy accept; }'

rules

• saddr/daddr
• tcp/udp
• sport/dport

1nft add rule inet table_name chain_name saddr 0.0.0.0/0 daddr 1.2.3.4/32 tcp dport 80 accet

sets

named, reuseable, updateable set of addresses, use with @set_name

1nft add set inet table_name set_name '{ type ipv4_addr }'
2nft add element inet table_name set_name '{ 1.2.3.4 }'

allow established connections

1nft add rule inet table_name chain_name ct state related,established accept

config file

 1table inet table_name {
 2  chain chain_name {
 3    type filter hook input priority 0;
 4
 5    ct state {established,related} accept
 6    ct state invalid drop
 7
 8    tcp dport 80 accept
 9  }
10}