Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux_router:nftables [2021-06-30 Wed wk26 20:17] – [Sample NFTables configuration] baumkplinux_router:nftables [2025-03-02 Sun wk09 15:31] (current) – [NFTables Configuration] baumkp
Line 1: Line 1:
 {{tag>linux router NFtables firewall}} {{tag>linux router NFtables firewall}}
 =====NFTables Configuration===== =====NFTables Configuration=====
- +The best reference for nftables is at the dedicated wiki [[https://wiki.nftables.org/|wiki nftables]]. Some other references I found [[https://gist.github.com/wolfhechel/db7ed3be31feb104752e|nftables router]]. The reference at stosb is good, but not for a router [[https://stosb.com/blog/explaining-my-configs-nftables/|Explaining My Configs: nftables]]. [[https://blog.programster.org/nftables-cheatsheet|Nftables Cheatsheet]]
-The best reference for nftables is at the dedicated wiki [[https://wiki.nftables.org/|wiki nftables]]. Some other references I found [[https://gist.github.com/wolfhechel/db7ed3be31feb104752e|nftables router]]. The reference at stosb is good, but not for a router [[https://stosb.com/blog/explaining-my-configs-nftables/|Explaining My Configs: nftables]].+
  
 After a lot of experimenting the following is my NFTables router configuration file. Create the following file called: "router.nft". After a lot of experimenting the following is my NFTables router configuration file. Create the following file called: "router.nft".
 +
 +Dont forget to ensure the router is allowed to forward packets:
 +  * ''sudo sysctl net.ipv4.ip_forward'' to check
 +  * ''sudo sysctl net.ipv4.ip_forward=1'' to set or =0 turn off
 +  * ''sudo sysctl net.ipv6.conf.all.forwarding=1'' similar for ipv6 
 +Also make permanent in ''/etc/sysctl.conf'', by ensuring ''net.ipv4.ip_forward = 1'' is indicated not commented
 +====iptables====
 +It is not a good idea to have both iptables and nftables rules setup at the same time.
 +  *To check existing iptables rules: ''sudo iptables -S'', the output should be as follows, indicating no restrictions:
 +<code text>-P INPUT ACCEPT
 +-P FORWARD ACCEPT
 +-P OUTPUT ACCEPT</code>
 +  *The iptables rules can be flushed with ''sudo iptables -F''.
 +
 ====Sample NFTables configuration==== ====Sample NFTables configuration====
  
Line 17: Line 30:
   * Another option would be to use ''sudo nmap -sn 192.168.1.0/24'' to find all the related active ip address ip range.   * Another option would be to use ''sudo nmap -sn 192.168.1.0/24'' to find all the related active ip address ip range.
  </color>++ \\   </color>++ \\ 
-<tab3>define <color red>wan = ppp1</color><color blue> #definition of wan device label</color>\\ +<tab3>define <color red>wan = eno1</color><color blue> #definition of wan device label, setup as ppp1 for pppoe</color>\\ 
 <tab3>define <color red>modem = eno1</color><color blue> #definition of modem device label</color>\\  <tab3>define <color red>modem = eno1</color><color blue> #definition of modem device label</color>\\ 
 <tab3>define <color red>lan = br0</color><color blue> #definition of lan device label</color>\\ <tab3>define <color red>lan = br0</color><color blue> #definition of lan device label</color>\\
 +<tab3>define <color red>lan_ip4 = 192.168.1.0/24</color><color blue> #definition of lan IPV4 range</color>\\
 <tab3>define <color red>router_ip4 = 192.168.1.1</color><color blue> #definition of router IPv4 address</color>\\  <tab3>define <color red>router_ip4 = 192.168.1.1</color><color blue> #definition of router IPv4 address</color>\\ 
 <tab3>define <color red>modem_ip = 192.168.5.2</color><color blue> #definition of modem IPv4 address</color> ++ | \\ + <color  <tab3>define <color red>modem_ip = 192.168.5.2</color><color blue> #definition of modem IPv4 address</color> ++ | \\ + <color 
Line 146: Line 160:
 <tab9>\\  <tab9>\\ 
 <tab9><color blue>       # everything else reject port unreachable</color> \\  <tab9><color blue>       # everything else reject port unreachable</color> \\ 
-<tab9>       ct state new counter reject ++ | \\ + <color #202000/#F0F0E0> Any other new packets coming to the filter input are unknow and should be dropped or rejected. Dropped means the packet is simply ignored and not further proceesed.  Reject means the packet is ignored and not further procees and a ICMP(v4 or v6) host-unreachable message is returned to the source. See wiki.nftables <tab1> [[https://wiki.nftables.org/wiki-nftables/index.php/Rejecting_traffic| Rejecting traffic]] for more information. </color>++\\ +<tab9>       ct state new counter reject ++ | \\ + <color #202000/#F0F0E0> Any other new packets coming to the filter input are unknown and should be dropped or rejected. Dropped means the packet is simply ignored and not further processed.  Reject means the packet is ignored and not further processed and a ICMP(v4 or v6) host-unreachable message is returned to the source. See wiki.nftables <tab1> [[https://wiki.nftables.org/wiki-nftables/index.php/Rejecting_traffic| Rejecting traffic]] for more information. </color>++\\ 
 <tab6>    }\\  <tab6>    }\\ 
 <tab6>\\  <tab6>\\ 
Line 156: Line 170:
 <tab9>       ip saddr @controllist counter drop\\  <tab9>       ip saddr @controllist counter drop\\ 
 <tab9>\\  <tab9>\\ 
-<tab9><color blue>       #limit the IP address range bandwidth using WAN</color> ++ | \\ +<color #202000/#F0F0E0> This is a simple form of traffic control. My DHCP / DNS place critical IP address in the 192.168.1.1 to 99 range, other equipment is automatically assigned in the 100-254 range.  The chains below then limit traffic speed into / out of these IP addresses. This has been separately described in detail at the following link: [[linux_router:nftables_control#Limit Rate on IP Address Range]]   </color> ++ \\  +<tab9><color blue>       #limit the IP address range bandwidth using WAN</color> ++ | \\ +<color #202000/#F0F0E0> This is a simple form of traffic control. My DHCP / DNS place critical IP address in the 192.168.1.1 to 99 range, other equipment is automatically assigned in the 100-200 range.  The chains below then limit traffic speed into / out of these IP addresses. This has been separately described in detail at the following link: [[linux_router:nftables_control#Limit Rate on IP Address Range]]   </color> ++ \\  
-<tab9>       iifname <color red>$wan</color> ip daddr { 192.168.1.100-192.168.1.254 } limit rate over 1300kbytes/second burst 3000kbytes counter drop\\  +<tab9>       iifname <color red>$wan</color> ip daddr { 192.168.1.100-192.168.1.200 } limit rate over 1300kbytes/second burst 3000kbytes counter drop\\  
-<tab9>       oifname <color red>$wan</color> ip saddr { 192.168.1.100-192.168.1.254 } limit rate over 750kbytes/second burst 1200kbytes counter drop\\ +<tab9>       oifname <color red>$wan</color> ip saddr { 192.168.1.100-192.168.1.200 } limit rate over 750kbytes/second burst 1200kbytes counter drop\\ 
 <tab9>\\  <tab9>\\ 
-<tab9><color #000060/#F0F0FF>       #oifname </color><color #060000/#FFF0F0>$wan</color><color #000060/#F0F0FF> tcp flags syn tcp option maxseg size set rt mtu</color>\\  +<tab9>       oifname <color red>$wan</color> tcp flags syn tcp option maxseg size set rt mtu <color blue> # This automatically set the tcp mtu</color>\\  
-<tab9>       oifname <color red>$wan</color> tcp flags syn tcp option maxseg size set 1452 counter\\  +<tab9><color #000060/#F0F0FF>       #oifname </color><color #060000/#FFF0F0>$wan</color><color #000060/#F0F0FF> tcp flags syn tcp option maxseg size set 1452 counter</color>  <color blue # This set the tcp mtu directly to a maximum value</color>\\  
 <tab6>\\ <tab6>\\
 <tab6><color blue>       # In general forward filter drops and limits list should be placed above here here</color> ++ | \\ + <color #202000/#F0F0E0>Position of rules is important in chains. Once a chain rule accepts, drops or rejects a packet subsequent chain rules are no longer processed!)</color>++ \\  <tab6><color blue>       # In general forward filter drops and limits list should be placed above here here</color> ++ | \\ + <color #202000/#F0F0E0>Position of rules is important in chains. Once a chain rule accepts, drops or rejects a packet subsequent chain rules are no longer processed!)</color>++ \\ 
Line 241: Line 255:
 <tab9><color blue>       # dnat - direct allowed by port number wan incoming services to correct lan server ip.</color>\\  <tab9><color blue>       # dnat - direct allowed by port number wan incoming services to correct lan server ip.</color>\\ 
 <tab9>       ip daddr <color red>$wan_ip4</color> tcp dport {http, https} counter dnat to <color red>$http_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the http or https ports are preroute dnat to the webserver IP address.</color>++\\  <tab9>       ip daddr <color red>$wan_ip4</color> tcp dport {http, https} counter dnat to <color red>$http_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the http or https ports are preroute dnat to the webserver IP address.</color>++\\ 
-<tab9>       ip daddr <color red>$wan_ip4</color> tcp dport {pop3s, imaps, smtp} counter dnat to <color red>$mail_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the mail ports, pop3s, imaps or smtp ports are preroute dnat to the mail server IP address.</color>++\\ +<tab9>       ip daddr <color red>$wan_ip4</color> tcp dport { pop3s, imaps, imap2, smtp, submission, submissions } counter dnat to <color red>$mail_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the mail ports, pop3s, imaps or smtp ports are preroute dnat to the mail server IP address.</color>++\\ 
 <tab9>       ip daddr <color red>$wan_ip4</color> udp dport <color red>$vpn_port</color> counter dnat to <color red>$vpn_ip4</color>  ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the VPN port are preroute dnat to the VPN IP address.</color>++\\  <tab9>       ip daddr <color red>$wan_ip4</color> udp dport <color red>$vpn_port</color> counter dnat to <color red>$vpn_ip4</color>  ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the VPN port are preroute dnat to the VPN IP address.</color>++\\ 
 <tab6>    }\\  <tab6>    }\\ 
Line 249: Line 263:
 <tab9> \\  <tab9> \\ 
 <tab9><color blue>      #Allow internal clients to correctly see external address "hairpin dnat"</color>   ++ | \\ + <color #202000/#F0F0E0> Hairpin nat is dicussed in greater death at [[https://wiki.kptree.net/doku.php?id=linux_router:nftables#hairpin_nat|hairpin nat]].</color>++\\  <tab9><color blue>      #Allow internal clients to correctly see external address "hairpin dnat"</color>   ++ | \\ + <color #202000/#F0F0E0> Hairpin nat is dicussed in greater death at [[https://wiki.kptree.net/doku.php?id=linux_router:nftables#hairpin_nat|hairpin nat]].</color>++\\ 
-<tab9>       ip saddr 192.168.1.0/24 ip daddr <color red>$http_server</color> tcp dport {http, https} counter snat <color red>$router_ip4</color>\\  +<tab9>       ip saddr <color red>$lan_ip4</color> ip daddr <color red>$http_server</color> tcp dport { http, https } counter snat <color red>$router_ip4</color>\\  
-<tab9>       ip saddr 192.168.1.0/24 ip daddr <color red>$mail_server</color> tcp dport {http, https, pop3s, imaps, smtp} counter snat <color red>$router_ip4</color>\\ +<tab9>       ip saddr <color red>$lan_ip4</color> ip daddr <color red>$mail_server</color> tcp dport { http, https, pop3s, imap2, imaps, smtp, submission, submissions } counter snat <color red>$router_ip4</color>\\ 
 <tab9>\\  <tab9>\\ 
 <tab9><color blue>      #Standard postrouting nat</color>  ++ | \\ + <color #202000/#F0F0E0> The examples below show different levels of granularity in control.</color>++\\ <tab9><color blue>      #Standard postrouting nat</color>  ++ | \\ + <color #202000/#F0F0E0> The examples below show different levels of granularity in control.</color>++\\
 <tab9><color #000060/#F0F0FF>       #oifname </color><color #060000/#FFF0F0>$modem</color><color #000060/#F0F0FF> counter masquerade  #needed with dynamic wan ip address</color>\\  <tab9><color #000060/#F0F0FF>       #oifname </color><color #060000/#FFF0F0>$modem</color><color #000060/#F0F0FF> counter masquerade  #needed with dynamic wan ip address</color>\\ 
-<tab9>       ip saddr <color red>$lan_ip4</color> oifname <color red>$modem</color> counter snat <color red>$modem_ip</color>\\  +<tab9>       ip saddr <color red>$lan_ip4</color> ip daddr <color red>$modem_ip4</color> counter snat <color red>$modem_ip</color>\\  
-<tab9>       ip saddr <color red>$vpn_ip</color> oifname <color red>$modem</color> counter snat <color red>$modem_ip</color>\\ +<tab9>       ip saddr <color red>$vpn_ip</color> ip daddr <color red>$modem_ip4</color> counter snat <color red>$modem_ip</color>\\ 
 <tab9><color #000060/#F0F0FF>       #oifname </color><color #060000/#FFF0F0>$wan</color><color #000060/#F0F0FF> counter masquerade #needed with dynamic wan ip address</color>\\  <tab9><color #000060/#F0F0FF>       #oifname </color><color #060000/#FFF0F0>$wan</color><color #000060/#F0F0FF> counter masquerade #needed with dynamic wan ip address</color>\\ 
 <tab9>       ip saddr <color red>$lan_ip4</color> oifname <color red>$wan</color> counter snat <color red>$wan_ip4</color>\\  <tab9>       ip saddr <color red>$lan_ip4</color> oifname <color red>$wan</color> counter snat <color red>$wan_ip4</color>\\ 
Line 266: Line 280:
 ++++ ++++
  
 +++++mail server ports:|
 +  * smtp {25} / (smtps) submissions {465} / submission {587} - (My mail server uses smtp / submission on ports 25 / 587 respectivily)
 +  * imap {143} / imaps {993} - (My mail server uses starttls on port 143)
 +  * pop3 {110} / pop3s {995} - who still uses pop3?
 +''nft'' translates ports to service namesas defined in /etc/services
 +++++
 ===Some configuration notes=== ===Some configuration notes===
  
Line 274: Line 294:
  
 Some key related commands: Some key related commands:
-  *To load a nft configuration file: ''sudo nft -f router.nft'' (not used for start configuration)+  *To load a nft configuration file: ''sudo nft -f /etc/nftables.conf'' (not used for start configuration) (was router.nft?)  
 +    *Another option is to restart the nftables systemd service, ''sudo systemctl restart nftables.service'' 
 +  *To test the configuration after modification ''sudo nft -c -f /etc/nftables.conf'', it will list errors in the configuration file, no errors will report blank.
   *The nftables configuration file can be made into an executable script as follows.   *The nftables configuration file can be made into an executable script as follows.
      *Add the following at the top of the file:      *Add the following at the top of the file:
Line 325: Line 347:
 This only affects local networks that use NAT which is basically mandatory for IPv4 and not required for IPv6, hence unless NAT is used in a IPv6 local network hairpin. This only affects local networks that use NAT which is basically mandatory for IPv4 and not required for IPv6, hence unless NAT is used in a IPv6 local network hairpin.
  
-<fs smaller>Whilst investigating this matter commentary it was often stated that this problem is better solved using DNS. However the root cause of the problem is fundamentally NAT related. I tried the DNS solution (dual horizon DNS) in Bind9but was fundamentally unhappy with this solutionThis is not to say that Hairpin NAT is the best solution in all cases. The DNS solution may be better solution for larger organisations.</fs>+* Whilst investigating this matter'commentary it was often stated that this problem is better solved using DNS. I was some what confused by SSL certificate DNS verification, and local DNS resolution.  Then there was all the talk about dual horizon or split DNS.  Basically the certificate authority may use WAN DNS to verify ownership of web site. I need to program my domain name suppliers DNS with the certificate info and this is used to verify my control and ownership of the domain and allow issue of certificate to me.  My LAN DNS is effectively a split horizon in that LAN DNS server resolves my LAN addressesall external address are ultimately passed to the WAN for resolution, although the results may be temporarily store locally to speed up subsequent DNS queries.  If my LAN servers have valid certificates and the LAN DNS addresses used are valid then it serves the secure service reliably off the LAN. Presumably it still needs to perform CA verification of the WAN, not sure about this.  The local DNS server cannot be directly addressed from the WAN.  If a WAN incoming service passes my WAN router firewall and is correctly directed directed to the LAN server and this server has a valid certificate then this will also function using the WAN address __A LAN DNS is definitely a more elegant method to serve local content than hairpin NAT!.__  This also explains why my NFTables hairpin NAT has always been showing no usage since I first experimented.  The LAN DNS makes it unnecessary. I have recently been using Traefik in Docker container to act as my back-end server proxy and manager of certificates main and sub-domain wildcard
 \\  \\ 
 \\   \\  
 <fs:x-large; fw:bold> Diagram 1</fs> \\  <fs:x-large; fw:bold> Diagram 1</fs> \\ 
 <fs:large; fw:bold>DNAT, Simple, Hairpin, not working and Hairpin working</fs> \\  <fs:large; fw:bold>DNAT, Simple, Hairpin, not working and Hairpin working</fs> \\ 
-(Where the gateway (router) is on the network device ppp1)\\+(Where the gateway (router) is on the network WAN device)\\
      
 {{:linux_router:2rxte.png?800|}} {{:linux_router:2rxte.png?800|}}