nftables notes

so iptables is getting replaced

nftables notes

so iptables is getting replaced

nftables basics

no default anythings

tables (per address family) hold chains hold rules

nft add table inet table_name
nft list tables

nft add chain inet table_name chain_name
nft list table inet table_name

chains are triggered by hooks or other chains, all 5 chains available for ip / ip6 / inet / bridge

chains have types (with self explanatory names): filter, nat, route

PREROUTING ─┬──── FORWARD ────┬─ POSTROUTING
            │                 │
      INPUT │                 │ OUTPUT
            │                 │
            └─ local process ─┘

nft add chain inet table_name chain_name '{ type filter hook input priority 0 policy accept; }'

rules

• saddr/daddr
• tcp/udp
• sport/dport

nft add rule inet table_name chain_name saddr 0.0.0.0/0 daddr 1.2.3.4/32 tcp dport 80 accet

sets

named, reuseable, updateable set of addresses, use with @set_name

nft add set inet table_name set_name '{ type ipv4_addr }'
nft add element inet table_name set_name '{ 1.2.3.4 }'

allow established connections

nft add rule inet table_name chain_name ct state related,established accept

config file

table inet table_name {
  chain chain_name {
    type filter hook input priority 0;

    ct state {established,related} accept
    ct state invalid drop

    tcp dport 80 accept
  }
}