You are not logged in.

#1 2024-05-07 08:33:26

zorggy
Member
Registered: 2013-05-30
Posts: 26

[SOLVED] Configuring nftables

Hello here,

I would like to configure a firewall using nftables. I have difficulty to get a functioning one, that's why I'm asking you some help.

Here are my requirements:

  • Configure one ethernet connection using IPv4

  • Accept all connections from a specific subnetwork

  • Accept only a dynamic whitelist of IPs on all other subnetworks

I build the dynamic IPv4 address list in a separate file, how can I include it in the rule?

Thank you in advance for your help,
Zorggy.

Last edited by zorggy (2024-05-08 13:32:03)

Offline

#2 2024-05-07 11:41:43

-thc
Member
Registered: 2017-03-15
Posts: 639

Re: [SOLVED] Configuring nftables

A good starting point is the default file "/etc/nftables.conf". Remove the IPv6 lines and the SSH rule and you have a basic rule set that allows nothing but ICMP:

#!/usr/bin/nft -f

flush ruleset
                         
table inet filter {

  chain input {
    type filter hook input priority filter; policy drop;

    ct state invalid drop comment "early drop of invalid connections"
    ct state {established, related} accept comment "allow tracked connections"
    iifname lo accept comment "allow from loopback"
    ip protocol icmp accept comment "allow icmp"
    counter
  }
  
  chain forward {
    type filter hook forward priority filter; policy drop
  }
  
}

Add a rule for your trusted subnet:

#!/usr/bin/nft -f

flush ruleset
                         
table inet filter {

  chain input {
    type filter hook input priority filter; policy drop;

    ct state invalid drop comment "early drop of invalid connections"
    ct state {established, related} accept comment "allow tracked connections"
    iifname lo accept comment "allow from loopback"
    ip protocol icmp accept comment "allow icmp"
    ip saddr 10.7.7.0/24 accept comment "allow trusted subnet"
    counter
  }
  
  chain forward {
    type filter hook forward priority filter; policy drop
  }
  
}

For the whitelist you define a named set of IPv4 address intervals and add a rule for them:

#!/usr/bin/nft -f

flush ruleset
                         
table inet filter {

  set ipv4_whitelist {
                type ipv4_addr
                flags interval
                elements = { 10.1.1.1,
                             10.2.2.0/24,
                             10.3.0.0/16,
                             10.4.5.6,
                             10.9.9.9 }
  }
  
  chain input {
    type filter hook input priority filter; policy drop;

    ct state invalid drop comment "early drop of invalid connections"
    ct state {established, related} accept comment "allow tracked connections"
    iifname lo accept comment "allow from loopback"
    ip protocol icmp accept comment "allow icmp"
    ip saddr 10.7.7.0/24 accept comment "allow trusted subnet"
    ip saddr @ipv4_whitelist accept comment "allow whitelist"
    counter
  }
  
  chain forward {
    type filter hook forward priority filter; policy drop
  }
  
}

The set can be changed at runtime (temporary) and/or in the rule set (permanent)

Offline

#3 2024-05-08 07:15:42

zorggy
Member
Registered: 2013-05-30
Posts: 26

Re: [SOLVED] Configuring nftables

Thank you -thc for your reply.

I was wondering whether it would be possible to have the ipv4_whitelist variable definition in another file (this is the dynamic part of the rules) and include it in the rule declaration file.

Then, changing the ipv4_whitelist variable file and reloading the full configuration would be the way to update the firewall, no?

Offline

#4 2024-05-08 12:32:06

-thc
Member
Registered: 2017-03-15
Posts: 639

Re: [SOLVED] Configuring nftables

zorggy wrote:

I was wondering whether it would be possible to have the ipv4_whitelist variable definition in another file (this is the dynamic part of the rules) and include it in the rule declaration file.

AFAIK: no - nftables does not work with external sets.

zorggy wrote:

Then, changing the ipv4_whitelist variable file and reloading the full configuration would be the way to update the firewall, no?

Yes - editing the set and reloading nftables would be the method for permanent changes.

You can also use

nft add element inet filter ipv4_blacklist { 192.168.3.4 }
nft delete element inet filter ipv4_blacklist { 10.9.9.9 }

for runtime-only changes.

Last edited by -thc (2024-05-08 12:51:21)

Offline

#5 2024-05-08 13:31:44

zorggy
Member
Registered: 2013-05-30
Posts: 26

Re: [SOLVED] Configuring nftables

Thank you, -thc

I understand I have to template the full configuration file, it's a pity.

I'll use the method for permanent changes so that I can restart the service and the server without losing any host in the whitelist.

Problem solved.

Offline

Board footer

Powered by FluxBB