Difference between revisions of "Nft"
(→Usage) |
|||
| Line 10: | Line 10: | ||
which can convert an iptables rule to nft. Used like so: | which can convert an iptables rule to nft. Used like so: | ||
iptables-translate -I INPUT -p tcp --dport 22 -j DROP | iptables-translate -I INPUT -p tcp --dport 22 -j DROP | ||
| − | and it will | + | and it will give the nft equivalent. |
Second, you should know that in order to block ipv4 and ipv6, you should | Second, you should know that in order to block ipv4 and ipv6, you should | ||
Revision as of 21:36, 3 November 2022
Nft is the successor to iptables.
There is only one book on the market I could find (08/2022) that currently deals with Nft, and that is Linux Firewalls by Steve Suehring (this page references the 4th edition).
Usage
First, you should know there is the handy tool
iptables-translate
which can convert an iptables rule to nft. Used like so:
iptables-translate -I INPUT -p tcp --dport 22 -j DROP
and it will give the nft equivalent.
Second, you should know that in order to block ipv4 and ipv6, you should use: inet. Some rules, will have nft insert rule ip bla bla bla or nft insert rule ip6 bla bla bla. If you use inet instead of ip or ip6 it will cover both protocols. (Page 84). Any example rule online that only uses ip is incorrect.
Third:
-I is nft insert -A is nft add
Terrible... Add should be append. As with iptables, the order in which you execute the rules is important.
Allow/Block a single port
Block the wan from accessing port 80:
nft insert rule ip filter INPUT tcp dport 80 counter reject
Allow the lan to access port 80:
nft insert rule inet filter INPUT ip saddr 192.168.1.0/24 tcp dport 80 counter accept
