Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
9 avril 2014 3 09 /04 /avril /2014 09:46


We'll see here the different possible ways to load or save our Nftables ruleset.
Using Ubuntu GNOME 14.04 (Trusty Tahr).
 

NF2a

 

Be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
Trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure. Throughout this post I assume every nft comman is done root ( sudo -s ).


1.  Ruleset Loading using a shell script

The easiest way to load / save rulesets is to use a shell script.

To put it all in an easy shell script, we first creat a fw.sh file :

touch /home/[user]/fw.sh

and edit it :

gedit /home/[user]/fw.sh

We start it with the usual header :

#!/bin/bash

We load the IPv4 and IPv6 templates :

 

nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

 

 

We flush any tables :

nft flush table filter
nft flush table ip6 filter

We append our filter list :

line 1 ...
line 2 ...
line 3 ...

We finish with a nice exit code :
exit 0

Here is what it looks like, with our basic IPv4/IPv6 firewall :
-------------------------------------------------------------------------------
#!/bin/bash

nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

nft add rule filter input ct state established accept
nft add rule filter input ct state related accept
nft add rule filter input iif lo accept
nft add rule filter input tcp dport ssh counter log accept
nft add rule filter input counter log drop

nft add rule filter output ct state established accept
nft add rule filter output ct state related accept
nft add rule filter output oif lo accept
nft add rule filter output ct state new counter accept

nft add rule ip6 filter input ct state established accept
nft add rule ip6 filter input ct state related accept
nft add rule ip6 filter input iif lo accept
nft add rule ip6 filter input tcp dport ssh counter log accept

nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
nft add rule ip6 filter input icmpv6 type echo-request accept
nft add rule ip6 filter input icmpv6 type nd-router-advert accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

nft add rule ip6 filter input counter log drop

nft add rule ip6 filter output ct state established accept
nft add rule ip6 filter output ct state related accept
nft add rule ip6 filter output oif lo accept
nft add rule ip6 filter output ct state new counter accept

echo "Nftables Firewall is now ON"

exit 0

-------------------------------------------------------------------------------------------------------------------------

we make it executable :

chmod +x /home/[user]/fw.sh

we can now run it easily :

sudo sh /home/[user]/fw.sh



we can easily make a fw_off.sh script too :

----------------------------------------------------------------------------------------------------------------------------
#!/bin/bash

nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

echo "Nftables Firewall is now OFF"

exit 0
--------------------------------------------------------------------------------------------------------------------------------


nb: instead of loading blueprints, we can create the tables and chains. These lines :

nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

would then become :

nft add table filter
nft add table ip6 filter

nft add chain filter input { type filter hook input priority 0 \; }
nft add chain filter forward { type filter hook forward priority 0 \; }
nft add chain filter output { type filter hook output priority 0 \; }

nft add chain ip6 filter input { type filter hook input priority 0 \; }
nft add chain ip6 filter forward { type filter hook forward priority 0 \; }
nft add chain ip6 filter output { type filter hook output priority 0 \; }






2. Ruleset loading using the NFT -f command

Another way to save / load rulesets is to use the nft -f command.
Keeping the same firewall example as preceeding, we create a fw.ruleset file ( it can be any name / any extension ) containing our command list. Do note that we need to have created the tables, or load the templates :

-f /usr/local/etc/nftables/ipv4-filter
-f /usr/local/etc/nftables/ipv6-filter

here is how we create our ruleset :

touch /home/[user]/fw.ruleset

we edit it :

gedit /home/[user]/fw.ruleset

--------------------------------------------------------------------------------------------------
-f /usr/local/etc/nftables/ipv4-filter
-f /usr/local/etc/nftables/ipv6-filter

flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input tcp dport ssh counter log accept
add rule filter input counter log drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter accept

add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter accept

-----------------------------------------------------------------------------------------------------------------

we can lauch it using this command :

sudo nft -f fw.ruleset


we can easily make a fw_off.ruleset script :

-----------------------------------------------------------------------------
nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

-------------------------------------------------------------------------------

We can incorporate the blueprint creation, so they don't need to have been loaded previously :
add table filter
add table ip6 filter

add chain filter input { type filter hook input priority 0 ; }
add chain filter forward { type filter hook forward priority 0 ; }
add chain filter output { type filter hook output priority 0 ; }

add chain ip6 filter input { type filter hook input priority 0 ; }
add chain ip6 filter forward { type filter hook forward priority 0 ; }
add chain ip6 filter output { type filter hook output priority 0 ; }



flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input tcp dport ssh counter log accept
add rule filter input counter log drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter accept

add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter accept


3. Ruleset loading using a NFTables ' dump '

Another, usefull way to save / load a ruleset is to use a ' dumping ' command :

 

a : we setup our firewall

 

b : we dump the configuration into a fw.rule file ( any name / extension is possible ) :
nft list table filter > fw4.rule
nft list table ip6 filter > fw6.rule

 

we can now load our firewall using these commands :
nft -f fw4.rule
nft -f fw6.rule

Interesting to note is that the counters states are preserved. This might prove interesting for reboot status preserve.

It is possible to append the dumps :

 

save :
    nft list table filter > fw.rule
    nft list table ip6 filter >> fw.rule

 

restore :
nft -f fw.rule


4. Notes


(1) to be able to load the tables :
use full path to template file :
nft -f /home/[user]/nftables/files/nftables/ipv6-filter
nft -f /usr/local/etc/nftables/ipv6-filter

(2) nft commands only work as root

be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure.


(3) to delete rules by chains :

nft delete rule filter input
nft delete rule filter output
nft delete rule filter forward

nft delete rule ip6 filter input
nft delete rule ip6 filter output
nft delete rule ip6 filter forward


(4) use of bash files :

gedit rule1.sh

chmod +x rule1.sh
sh rule1.sh

(5) Windows / Linux text format issue

nb : beware of Windows / Linux text format problems when moving confilg files through OS.
Use cat on a Linux terminal, then copy and paste in a fresh new file if needed.

 

Partager cet article

Repost 0
Published by computer outlines - dans Nftables
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens