You are not logged in.
Hello here,
I would like to configure a firewall using nftables. I have difficulty to get a functioning one, that's why I'm asking you some help.
Here are my requirements:
Configure one ethernet connection using IPv4
Accept all connections from a specific subnetwork
Accept only a dynamic whitelist of IPs on all other subnetworks
I build the dynamic IPv4 address list in a separate file, how can I include it in the rule?
Thank you in advance for your help,
Zorggy.
Last edited by zorggy (2024-05-08 13:32:03)
Offline
A good starting point is the default file "/etc/nftables.conf". Remove the IPv6 lines and the SSH rule and you have a basic rule set that allows nothing but ICMP:
#!/usr/bin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iifname lo accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
counter
}
chain forward {
type filter hook forward priority filter; policy drop
}
}
Add a rule for your trusted subnet:
#!/usr/bin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iifname lo accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
ip saddr 10.7.7.0/24 accept comment "allow trusted subnet"
counter
}
chain forward {
type filter hook forward priority filter; policy drop
}
}
For the whitelist you define a named set of IPv4 address intervals and add a rule for them:
#!/usr/bin/nft -f
flush ruleset
table inet filter {
set ipv4_whitelist {
type ipv4_addr
flags interval
elements = { 10.1.1.1,
10.2.2.0/24,
10.3.0.0/16,
10.4.5.6,
10.9.9.9 }
}
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iifname lo accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
ip saddr 10.7.7.0/24 accept comment "allow trusted subnet"
ip saddr @ipv4_whitelist accept comment "allow whitelist"
counter
}
chain forward {
type filter hook forward priority filter; policy drop
}
}
The set can be changed at runtime (temporary) and/or in the rule set (permanent)
Offline
Thank you -thc for your reply.
I was wondering whether it would be possible to have the ipv4_whitelist variable definition in another file (this is the dynamic part of the rules) and include it in the rule declaration file.
Then, changing the ipv4_whitelist variable file and reloading the full configuration would be the way to update the firewall, no?
Offline
I was wondering whether it would be possible to have the ipv4_whitelist variable definition in another file (this is the dynamic part of the rules) and include it in the rule declaration file.
AFAIK: no - nftables does not work with external sets.
Then, changing the ipv4_whitelist variable file and reloading the full configuration would be the way to update the firewall, no?
Yes - editing the set and reloading nftables would be the method for permanent changes.
You can also use
nft add element inet filter ipv4_blacklist { 192.168.3.4 }
nft delete element inet filter ipv4_blacklist { 10.9.9.9 }
for runtime-only changes.
Last edited by -thc (2024-05-08 12:51:21)
Offline
Thank you, -thc
I understand I have to template the full configuration file, it's a pity.
I'll use the method for permanent changes so that I can restart the service and the server without losing any host in the whitelist.
Problem solved.
Offline