nftables base ruleset

labels:
I have migrated to nftables. The iptables base ruleset[1] was incredibly useful, each time I needed to setup from scratch. Following on from that, I wanted to bed down my nftables base ruleset too.

I picked up my iptables base ruleset[1], and applied the migration techniques from the nftables wiki[2].

On Gentoo, net-firewall/iptables needs nftables useflag for the translate utilities. These tools do not need superuser access.

The iptables service saves state to /var/lib/iptables/rules-save. It is not world readable.

Now we have the tool and the ruleset to translate.

$ iptables-restore-translate -f /var/lib/iptables/rules-save

Thus follows my current base ruleset.

#!/sbin/nft -f
flush ruleset
table filter {
 chain input {
  type filter hook input priority 0; policy drop;
  ct state invalid counter drop
  tcp flags != syn ct state new counter drop
  tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|syn|rst|psh|ack|urg) counter drop
  tcp flags & (fin|syn|rst|psh|ack|urg) == (0x0) counter drop
  #ip frag-off != 0 counter log prefix "nft: " level notice drop
  iif lo ip saddr 127.0.0.1/8 accept
  ct state established,related accept
  counter log prefix "nfti: " level notice drop
 }
 chain output {
  type filter hook output priority 0; policy drop;
  ct state invalid counter drop
  oif lo ip daddr 127.0.0.1/8 accept
  ct state new,established accept
  counter log prefix "nfto: " level notice drop
 }
 chain forward {
  type filter hook forward priority 0; policy drop;
  counter log prefix "nft: " level notice drop
 }
}

Not all rules are successfully translated, or they don't work as I expected. I had to substantially verify and rewrite many translated rules.

For example, this is totally daft.
$ iptables-translate -A INPUT -p icmp --icmp-type any -j ACCEPT
nft add rule ip filter INPUT  counter accept
$ /sbin/iptables-translate -A output -p icmp --icmp-type any -j DROP
nft add rule ip filter output  counter drop

I had to comment off the following rule, which worked very well in iptables, but not in nftables. Please let me if you understand.
$ /sbin/iptables-translate -A INPUT -f -j DROP
nft add rule ip filter INPUT ip frag-off != 0 counter drop

My understanding is not complete, nor do I profess to be an expert. Please feedback.

[1] iptables base ruleset
[2] Moving from iptables to nftables

No comments:

Post a Comment

most viewed

  • grub rescue btrfs ubuntu
    to play more seriously with yet another distro, i needed to install it. so i had some fun resizing/moving partitions around to clear some fr...
  • Discovering zram and replacing all tmpfs
    I have just discovered zram [2] :) woohoo... and what a thing that is! I was so sold on tmpfs , that I used it for everything I possibly ...
  • slackware netinstall
    you won't see many docs about minimal netinstall slackware. indeed, you will see many experts saying there is no such thing. and your on...
  • debian stretch kernel compile
    debian kernels contain everything needed by everyone. customising your kernel is easy and highly recommended. i recommend using the same ker...
  • runit openrc gentoo
    I decided to have another go at runit , this time on my gentoo . I had been thinking about this, since I noticed this on
  • multiboot btrfs subvolumes
    this idea has been knocking around in my head for a while. i want to document it, while it is still there and to flush it out later.. i us...
  • openwrt backfire x86 install
    vision: portable internet router, to carry on my travels, or use at home. openwrt on a portable (thin-client/netbook) device. internet sour...
  • This sound device does not have any controls
    I have no sound, on my recent gentoo install. LXQT Mixer wouldn't open. I don't even get any error/warning messages. This is not ...
  • gentoo portage
    ref: http://wiki.gentoo.org/wiki/portage Gentoo is Portage. Portage is Gentoo. Getting portage settings right is vitally important. It...
  • voidlinux remove old kernels & modules
    I noticed while updating my void that kernels were being updated, but old ones weren't being removed. Removing orphan packages didn'...