omotam img

Skip to main content
  1. Posts/

Simple Stateful Firewall with nftables

··134 words·1 min·
Table of Contents

The nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames.

TLDR #

wget -q -O- "https://gorbe.io/posts/nftables/stateful-firewall/nftables.conf" | tee "/etc/nftables.conf"

Config #

Configure a simple firewall for a basic webserver:

nano /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table inet filter {

	chain inbound_ipv4 {
		icmp type echo-request limit rate 5/second accept
	}

	chain inbound_ipv6 {
		icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
		icmpv6 type echo-request limit rate 5/second accept
	}

	chain input {
		type filter hook input priority 0; policy drop;
		ct state { established, related } accept
		iifname lo accept
		meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
		tcp dport 22 accept
		reject
	}

	chain forward {
		type filter hook forward priority 0;
	}

	chain output {
		type filter hook output priority 0;
	}
}