NFTABLES Firewall
This is not a guide, just a simple note to be able to give a link as an answer to a question :)
Requinments#
Install the nftables package, but it is recommended to install iptables-nft instead, iptables-nft
automatically removes iptables and provides an implementation of iptables -> nftables rule mapper interface.
For more information, see here.
nftable config#
#!/usr/sbin/nft -f
flush ruleset
table ip firewall {
# List of IP's of allowed DNS servers
# Public DNS, Local DNS or VPC DNS IP's
set allowed-dns-servers {
type ipv4_addr
elements = { 1.1.1.1, 8.8.8.8 }
}
# List of IP's of allowed SSH clients
# TODO: add your network/ip
set allowed-ssh-clients {
type ipv4_addr
elements = { 10.0.0.0/8 }
}
# List of IP's of allowed NTP servers [/etc/systemd/timesyncd.conf]
# Should be content list of resolved IP's for all NTP servers
# Periodical update by external script
set allowed-ntp-servers {
type ipv4_addr
}
# List of IP's of allowed repositories /etc/apt/sources.list
# Should be content list of resolved IP's for all servers of repositories
# Periodical update by external script
set allowed-repos {
type ipv4_addr
}
# Input chain rules [drop by default]
chain fw_input {
type filter hook input priority filter; policy drop;
# Allow any packets on the loopback interface
iifname "lo" accept
# Drop any packets what have loopback addr
# but not related to the loopback interface
ip saddr 127.0.0.0/8 drop
# Limiting ICMP packets to one packet per second
ip protocol icmp limit rate over 1/second drop
# Limiting SSH connection to 10 connections per minute
tcp dport 22 ct state new limit rate over 10/minute drop
# Allowing current existing connections
# necessary to prevent dropping an existing
# connections during rules applying
ct state established,related accept
# Allow ICMP input packets
icmp type echo-request accept
# Allow SSH connection for allowed IP addresses from the list
ip saddr @allowed-ssh-clients tcp dport 22 accept
# Allow incoming TCP connection to the 80, 443 ports
# TODO: You need to add the required ports depending on your situation
ip saddr tcp dport 80,443 accept
}
# Output chain rules [drop by default]
chain fw_output {
type filter hook output priority filter; policy drop;
# Allow any packets on the loopback interface
oifname "lo" accept
# Allow current existing connections
# necessary to prevent dropping an existing
# connections during rules applying
ct state established,related accept
# Allow all ICMP packets
icmp type echo-request accept
# Allow DNS requests via TCP/UDP
ip daddr @allowed-dns-servers {tcp, udp} dport 53 accept
# Allow NTP requests via TCP/UDP
ip daddr @allowed-ntp-servers {tcp, udp} dport 123 accept
# Allow TCP (HTTP) connection to a repository servers
# /etc/apt/sources.list
ip daddr @allowed-repos tcp dport 80 accept
}
}
Dynamically updating nftables allow lists#
/usr/bin/nft-list-update#
#!/bin/bash
# Pacman mirrors
grep -oP '(?<=^Include(\s)?=(\s)?).+$' /etc/pacman.conf | uniq | xargs grep -ohP '(?<=^Server(\s)?=(\s)?http(s)?://)[^/]*' | xargs -r -I IP nft add element ip firewall allowed-repos { IP }
# NTP servers
grep -oP '(?<=^NTP=).+$' /etc/systemd/timesyncd.conf | xargs dig +short | xargs -r -I IP nft add element ip firewall allowed-ntp-servers { IP }
grep -oP '(?<=^FallbackNTP=).+$' /etc/systemd/timesyncd.conf | xargs dig +short | xargs -r -I IP nft add element ip firewall allowed-ntp-servers { IP }
/etc/systemd/system/nft-list-update.service#
[Unit]
Description=nftables list update service
Requires=nftables.service
Wants=nft-list-update.timer
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/nft-list-update
StandardOutput=journal
[Install]
WantedBy=multi-user.target
/etc/systemd/system/nft-list-update.timer#
[Unit]
Description=nftables list update timer
Requires=nftables.service
[Timer]
Unit=nft-list-update.service
OnCalendar=hourly
[Install]
WantedBy=timers.target
Read other posts