Categories
SysOps

How to create the simplest possible nftables firewall

Create the simplest possible firewall using nftables framework with relaxed rules that will allow all outgoing traffic, incoming ICMP echo requests, and ssh connections.

Default configuration

Default nftables configuration.

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;
        }
        chain forward {
                type filter hook forward priority 0;
        }
        chain output {
                type filter hook output priority 0;
        }
}

Ruleset list.

$ sudo nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

The simplest firewall

The simplest relaxed solution.

#!/usr/sbin/nft -f

flush ruleset

table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "Accept loopback interface"

                ct state established,related counter accept comment "Accept established or related packets"
                ct state invalid counter drop comment "Drop invalid packets"

                icmp type echo-request counter accept comment "Accept incoming ICMP"

                tcp dport 22 counter accept comment "Accept incoming SSH"
        }

        chain FORWARD {
                type filter hook forward priority filter; policy drop;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}

Ruleset list.

$ sudo nft list ruleset
table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "Accept loopback interface"
                ct state established,related counter packets 1652 bytes 374440 accept comment "Accept established or related packets"
                ct state invalid counter packets 16 bytes 1366 drop comment "Drop invalid packets"
                icmp type echo-request counter packets 4 bytes 336 accept comment "Accept incoming ICMP"
                tcp dport 22 counter packets 3 bytes 180 accept comment "Accept incoming SSH"
        }

        chain FORWARD {
                type filter hook forward priority filter; policy drop;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}

The simplest solution with counters

The simplest relaxed solution with counters.

#!/usr/sbin/nft -f

flush ruleset

table ip filter {
        chain INPUT {
                type filter hook input priority filter;
                iifname "lo" accept comment "Accept loopback interface"

                ct state established,related counter accept comment "Accept established or related packets"
                ct state invalid counter drop comment "Drop invalid packets"

                icmp type echo-request counter accept comment "Accept incoming ICMP"

                tcp dport 22 counter accept comment "Accept incoming SSH"

                counter drop
        }

        chain FORWARD {
                type filter hook forward priority filter;

                counter drop
        }

        chain OUTPUT {
                type filter hook output priority filter;

                counter accept
        }
}

Ruleset list.

$ sudo nft list ruleset
table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "Accept loopback interface"
                ct state established,related counter packets 8 bytes 944 accept comment "Accept established or related packets"
                ct state invalid counter packets 0 bytes 0 drop comment "Drop invalid packets"
                icmp type echo-request counter packets 0 bytes 0 accept comment "Accept incoming ICMP"
                tcp dport 22 counter packets 0 bytes 0 accept comment "Accept incoming SSH"
                counter packets 0 bytes 0 drop
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                counter packets 0 bytes 0 drop
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
                counter packets 11 bytes 944 accept
        }
}