Mes exemples de fichiers de configuration nftables

Configuration

• OS : Debian 11
• nftables : 0.9.8 (E.D.S.)

Informations générales

• Activer le service nftables au démarrage avec la commande systemctl

root@host:~# systemctl enable nftables.service

• Fichier de configuration nftables

root@host:~# /etc/nftables.conf

• Charger le fichier nftables

root@host:~# nft -f /etc/nftables.conf

• Afficher les règles

root@host:~# nft list ruleset

• Effacer les règles

root@host:~# nft flush ruleset

• Notes :
• inet inclus les adresses ipv4 et ipv6. On peut utiliser les mots ip pour les adresses ipv4 ou ipv6 pour les adresses ipv6.
• iif pour input interface et oif pour output interface.

SMTP Server

Un fichier de configuration pour un serveur smtp.

#!/usr/sbin/nft -f

flush ruleset

# ----- IPv4 -----
table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy drop; #by default, we drop traffic

                iif lo accept comment "Accept any localhost traffic"
                ct state invalid counter drop comment "Drop invalid connections"
                ct state { established, related } counter accept comment "Accept traffic originated from us"
                iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"

                ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"
		
		iif eth0 ip saddr 10.0.0.10 tcp dport ssh counter accept comment "Accept ssh from 10.0.0.10"
                tcp dport { http, https, smtp, 465, 143, 993 } counter accept comment "Accept http, https, imap, imaps, smtp protocols"
                counter drop #count and drop
        }
        chain FORWARD {
                type filter hook forward priority 0; policy drop;
                counter comment "count dropped packets"
        }
        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }
}

# ----- IPv6 -----
table ip6 filter {
        chain INPUT {
                type filter hook input priority 0; policy drop; #by default, we drop traffic

                iif lo accept comment "Accept any localhost traffic"
                iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
                ct state invalid drop comment "Drop invalid connections"
                ct state established,related accept comment "Accept traffic originated from us"

                ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"
                #ip protocol igmp accept comment "Accept IGMP"

                tcp dport { smtp, 465, 143, 993 } counter accept comment "Accept imap, imaps, smtp"
                counter drop #count and drop
        }
        chain FORWARD {
                type filter hook forward priority 0; policy drop;
                counter comment "count dropped packets"
        }
        chain OUTPUT {
                type filter hook output priority 0;
        }
}

Routeur

Un fichier de configuration pour un routeur.

#!/usr/sbin/nft -f

flush ruleset

table ip my_nat {
        chain my_masquerade {
                type nat hook postrouting priority 100; policy accept;
                ip daddr != { 192.168.0.0/16 } oifname "wan" masquerade comment "outgoing NAT"
        }

        chain my_prerouting {
                type nat hook prerouting priority -100; policy accept;
                iifname "wan" tcp dport { http, https } dnat to 192.168.10.250 comment "Web Redirect"
                iifname "wan" udp dport 9994 dnat to 192.168.10.251:1194 comment "OpenVPN Redirect"
        }
}
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                iif "lo" accept
                ct state { related, established} accept
                ct state invalid drop
                meta l4proto icmp accept
                ip saddr 192.168.0.0/16 tcp dport { auth, domain, ssh } accept comment "dns, ntp, ssh"
                ip saddr 192.168.0.0/16 udp dport { auth, domain } accept comment "dns, ntp"
                iifname "wan" jump input_wan
                iifname "lan" jump input_lan
        }

        chain input_wan {
                ip saddr { 46.105.57.169 } tcp dport ssh accept comment "allow external SSH"
        }

        chain input_lan {
                tcp dport ssh accept
        }

        chain forward {
                type filter hook forward priority 0; policy drop; #by default, we drop traffic 
                ct state { related, established } accept
                ct state invalid drop
                ip saddr 192.168.0.0/16 tcp dport { http, https } accept comment "accept WEB"
                iifname { "lan" } oifname "wan" udp dport { domain, ntp } accept comment "DNS"
                ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 icmp type { echo-reply, echo-request} accept comment "allow icmp"
                ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 icmp type { echo-reply, echo-request} accept comment "allow icmp"
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}