nftables config
nftables ist eine Linux Kernel Modul das als Firewall verwendet werden kann. Durch hooks (wie z.B. input, output oder forward) setzt sich nftables in den Linux Netzwerk-Stack und kann Pakete filtern, weiterleiten oder bearbeiten. Eine Basiskonfiguration könnte wie folgt aussehen:
#!/usr/sbin/nft -f
table inet basic-filter # create so there is no error when delete
delete table inet basic-filter # delete old rules
# inet: IPv4 + IPv6
table inet basic-filter {
chain input {
# type=filter hook=input priority=filter (filter is a priority name and means 0)
type filter hook input priority filter
# default policy if no rule fits: drop packet
policy drop
# log all new connections
# ct state new log
# allow ping
icmp type echo-request counter accept
# connection tracking state: accept already established or related connections
ct state { established, related } accept
# accept all on loopback interface
iifname "lo" counter accept
# accept dns queries for dnsmasq
# ct state new udp dport 53 counter accept
# log new ssh connections with prefix
ct state new tcp dport 22 counter log prefix "Neue SSH-Verbindung " accept
ct state new tcp dport 80 counter accept # HTTP
ct state new tcp dport 443 counter accept # HTTPS
# ct state new tcp dport 139 counter accept # SMB via NetBIOS (old)
# ct state new tcp dport 445 counter accept # SMB via TCP
}
chain output {
type filter hook output priority filter
# default: accept all outgoing packets
policy accept
# block SMTP to prevent abuse as mail sender
tcp dport 25 counter drop
}
}