nftables est la nouvelle commande qui est censée remplacer iptables dans le but de gérer le firewall du noyau Linux : Netfilter. Voici mes notes personnelles testées sous Debian.
root@host:~# systemctl enable nftables.service
root@host:~# /etc/nftables.conf
root@host:~# nft -f /etc/nftables.conf
root@host:~# nft add table inet filter
root@host:~# nft list tables
root@host:~# nft delete table inet filter
root@host:~# nft flush table inet filter
root@host:~# nft add chain inet <table name> <chain name>
root@host:~# nft list chains
root@host:~# nft delete chain <table name> <chain name>
root@host:~# nft add chain inet filter INPUT { type filter hook input priority 0\; }
root@host:~# nft add chain inet filter FORWARD { type filter hook forward priority 0\; }
root@host:~# nft add chain inet filter OUTPUT { type filter hook output priority 0\; }
root@host:~# nft add chain inet filter my_masquerade '{ type nat hook postrouting priority 100; }'
root@host:~# nft add chain inet filter my_prerouting '{ type nat hook prerouting priority -100; }'
root@host:~# nft add rule inet filter INPUT counter accept
root@host:~# nft add rule inet filter INPUT tcp dport 22 counter
root@host:~# nft add rule inet filter INPUT tcp dport {80, 443} ct state new,established counter accept
root@host:~# nft -n -a list ruleset
root@host:~# nft delete rule ip filter INPUT handle 38
root@host:~# nft -n -a list ruleset
root@host:~# nft replace rule ip filter INPUT handle 38 iifname "eth0" ip saddr 192.168.1.12 counter drop
root@host:~# nft -n -a list ruleset
root@host:~# nft insert rule ip filter INPUT position 17 iifname "eth0" ip saddr { 192.168.1.11, 192.168.1.68, 192.168.1.118 } counter drop
root@host:~# nft add table ip NAT
root@host:~# nft add chain ip NAT my_masquerade '{ type nat hook postrouting priority 100; }'
root@host:~# nft add chain ip NAT my_prerouting '{ type nat hook prerouting priority -100; }'
root@host:~# nft add rule NAT my_masquerade ip daddr \!= { 192.168.0.0/16 } oifname <interface> masquerade
root@host:~# nft add rule NAT my_prerouting iifname <interface> tcp dport { https } dnat to 192.168.1.10 comment \"Web Server\"
Contact :