nftables
nftables - a mild autistic ruleset
The netfilter.org “nftables” project: https://netfilter.org/projects/nftables/
The ruleset
These rules disable most inter-LAN connectivity. The host wil talk to the gateway, DNS, NTP and DHCP servers. Other nodes might pick up broadcast traffic, but will not be able to communicate with this endpoint.
- Create a file with MAC addresses you want to be able to communicate with. Or dynamically generate it at boot (
/dev/shm/maclist
).####################### # Firewall inet ####################### # Flush ruleset and create chains for inet nft flush ruleset nft add table inet filter nft add chain inet filter INPUT { type filter hook input priority 0 \; policy drop \; } nft add chain inet filter OUTPUT { type filter hook output priority 0 \; policy accept \; } nft add chain inet filter FORWARD { type filter hook forward priority 0 \; policy drop \; } # Accept established, drop invalid nft add rule inet filter INPUT ct state {established, related} accept nft add rule inet filter INPUT ct state invalid drop nft add rule inet filter INPUT iifname lo accept # Disable all IPv4 ICMP and drop IPv6 ping nft add rule inet filter INPUT ip protocol icmp drop nft add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type echo-request drop # Allow IPv6 configuration nft add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept ####################### # Firewall ARP ####################### # Create chains with same naming convention as arptables. nft add table arp filter nft add chain arp filter INPUT { type filter hook input priority 0 \; } nft add chain arp filter OUTPUT { type filter hook output priority 0 \; } nft add chain arp filter FORWARD { type filter hook forward priority 0 \; } # Allow requests from addresses in the defined neighbour list. while read line do nft add rule arp filter INPUT arp operation request ether saddr $line counter accept done <<< $(</dev/shm/maclist) # Allow incoming reply's. nft add rule arp filter INPUT arp operation reply counter accept # Log incoming dropped ARP packages. nft add rule arp filter INPUT log prefix \"INPUT FILTER ARP: \" # Default drop. nft chain arp filter INPUT { policy drop \; } nft chain arp filter FORWARD { policy drop \; }
- Show current ruleset:
# nft list ruleset table inet filter { chain INPUT { type filter hook input priority 0; policy drop; ct state { established, related} accept ct state invalid drop iifname "lo" accept ip protocol icmp drop icmpv6 type echo-request drop icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept } chain OUTPUT { type filter hook output priority 0; policy accept; } chain FORWARD { type filter hook forward priority 0; policy drop; } } table arp filter { chain INPUT { type filter hook input priority 0; policy drop; arp operation request ether saddr aa:bb:cc:dd:ee:f0 counter packets 3544 bytes 163024 accept arp operation request ether saddr aa:bb:cc:dd:ee:f1 counter packets 10 bytes 460 accept arp operation request ether saddr aa:bb:cc:dd:ee:f2 counter packets 322 bytes 14812 accept arp operation reply counter packets 3120 bytes 143520 accept log prefix "INPUT FILTER ARP: " } chain OUTPUT { type filter hook output priority 0; policy accept; } chain FORWARD { type filter hook forward priority 0; policy drop; } }
nftables.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1