Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


nftables

nftables - a mild autistic ruleset

The netfilter.org “nftables” project: https://netfilter.org/projects/nftables/

The ruleset

These rules disable most inter-LAN connectivity. The host wil talk to the gateway, DNS, NTP and DHCP servers. Other nodes might pick up broadcast traffic, but will not be able to communicate with this endpoint.

  • Create a file with MAC addresses you want to be able to communicate with. Or dynamically generate it at boot (/dev/shm/maclist).
    ####################### 
    # Firewall inet
    #######################
    
    # Flush ruleset and create chains for inet
    nft flush ruleset
    nft add table inet filter
    nft add chain inet filter INPUT   { type filter hook input   priority 0 \; policy drop \; }
    nft add chain inet filter OUTPUT  { type filter hook output  priority 0 \; policy accept \; }
    nft add chain inet filter FORWARD { type filter hook forward priority 0 \; policy drop \; }
    
    # Accept established, drop invalid
    nft add rule inet filter INPUT ct state {established, related} accept
    nft add rule inet filter INPUT ct state invalid drop
    nft add rule inet filter INPUT iifname lo accept
    
    # Disable all IPv4 ICMP and drop IPv6 ping
    nft add rule inet filter INPUT ip protocol icmp drop
    nft add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type echo-request drop
    
    # Allow IPv6 configuration
    nft add rule inet filter INPUT ip6 nexthdr icmpv6  icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
    
    
    ####################### 
    # Firewall ARP
    #######################
    
    # Create chains with same naming convention as arptables.
    nft add table arp filter
    nft add chain arp filter INPUT   { type filter hook input   priority 0 \; }
    nft add chain arp filter OUTPUT  { type filter hook output  priority 0 \; }
    nft add chain arp filter FORWARD { type filter hook forward priority 0 \; }
    
    # Allow requests from addresses in the defined neighbour list.
    while read line
    do
      nft add rule arp filter INPUT arp operation  request ether saddr $line counter accept
    done <<< $(</dev/shm/maclist)
    
    # Allow incoming reply's.
    nft add rule arp filter INPUT arp operation  reply counter accept
    
    # Log incoming dropped ARP packages.
    nft add rule arp filter INPUT   log prefix \"INPUT   FILTER ARP: \"
    
    # Default drop. 
    nft chain arp filter INPUT { policy drop \; }
    nft chain arp filter FORWARD { policy drop \; }
  • Show current ruleset:
    # nft list ruleset
    table inet filter {
            chain INPUT {
                    type filter hook input priority 0; policy drop;
                    ct state { established, related} accept
                    ct state invalid drop
                    iifname "lo" accept
                    ip protocol icmp drop
                    icmpv6 type echo-request drop
                    icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept
            }
    
            chain OUTPUT {
                    type filter hook output priority 0; policy accept;
            }
    
            chain FORWARD {
                    type filter hook forward priority 0; policy drop;
            }
    }
    table arp filter {
            chain INPUT {
                    type filter hook input priority 0; policy drop;
                    arp operation request ether saddr aa:bb:cc:dd:ee:f0 counter packets 3544 bytes 163024 accept
                    arp operation request ether saddr aa:bb:cc:dd:ee:f1 counter packets 10 bytes 460 accept
                    arp operation request ether saddr aa:bb:cc:dd:ee:f2 counter packets 322 bytes 14812 accept
                    arp operation reply counter packets 3120 bytes 143520 accept
                    log prefix "INPUT FILTER ARP: "
            }
    
            chain OUTPUT {
                    type filter hook output priority 0; policy accept;
            }
    
            chain FORWARD {
                    type filter hook forward priority 0; policy drop;
            }
    }
nftables.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1