Change default settings

# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft

Clear the current rule set:

# nft flush ruleset

Add a table:

# nft add table inet filter

Add three basic chains: input, forward and output. The default strategy for input and forward is drop. The default policy for output is accept.

# nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
# nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }
# nft add chain inet filter output { type filter hook output priority 0 \; policy accept \; }

Add two regular chains associated with TCP and UDP:

# nft add chain inet filter TCP
# nft add chain inet filter UDP

The related and established traffic will accept:

# nft add rule inet filter input ct state related,established accept

The traffic of the loopback interface accepts:

# nft add rule inet filter input iif lo accept

Invalid traffic drops:

# nft add rule inet filter input ct state invalid drop

The new echo request (ping) will accept:

# nft add rule inet filter input ip protocol icmp icmp type echo-request ct state new accept

New UDP traffic jumps to UDP chains:

# nft add rule inet filter input ip protocol udp ct state new jump UDP

New TCP traffic jumps to the TCP chain:

# nft add rule inet filter input ip protocol tcp tcp flags \& \(fin\|syn\|rst\|ack\) == syn ct state new jump TCP

All communications that are not processed by other rules reject:

# nft add rule inet filter input ip protocol udp reject
# nft add rule inet filter input ip protocol tcp reject with tcp reset
# nft add rule inet filter input counter reject with icmp type prot-unreachable

At this point, you should decide which ports to open for incoming connections, which are handled by TCP and UDP chains. For example, to open the connection port of the web server, add:

# nft add rule inet filter TCP tcp dport 80 accept

To open the web server HTTPS connection port 443:

# nft add rule inet filter TCP tcp dport 443 accept

Allow SSH connection port 22:

# nft add rule inet filter TCP tcp dport 22 accept

Allow incoming DNS requests:

# nft add rule inet filter TCP tcp dport 53 accept
# nft add rule inet filter UDP udp dport 53 accept

Make sure the changes are permanent (written to a file).

# nft list ruleset > /etc/nftables.conf

Reference resources: https://wiki.archlinux.org/index.php/Nftables_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)

Last modification:August 25th, 2019 at 07:38 pm
If you think my article is useful to you, please feel free to appreciate