Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
linux_router:nftables [2023-05-09 Tue wk19 19:48] – [Hairpin NAT] baumkp | linux_router:nftables [2024-09-21 Sat wk38 20:29] (current) – [iptables] baumkp | ||
---|---|---|---|
Line 1: | Line 1: | ||
{{tag> | {{tag> | ||
=====NFTables Configuration===== | =====NFTables Configuration===== | ||
- | |||
The best reference for nftables is at the dedicated wiki [[https:// | The best reference for nftables is at the dedicated wiki [[https:// | ||
After a lot of experimenting the following is my NFTables router configuration file. Create the following file called: " | After a lot of experimenting the following is my NFTables router configuration file. Create the following file called: " | ||
+ | |||
+ | Dont forget to ensure the router is allowed to forward packets: | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | ====iptables==== | ||
+ | It is not a good idea to have both iptables and nftables rules setup at the same time. | ||
+ | *To check existing iptables rules: '' | ||
+ | <code text>-P INPUT ACCEPT | ||
+ | -P FORWARD ACCEPT | ||
+ | -P OUTPUT ACCEPT</ | ||
+ | *The iptables rules can be flushed with '' | ||
+ | |||
====Sample NFTables configuration==== | ====Sample NFTables configuration==== | ||
Line 20: | Line 32: | ||
< | < | ||
< | < | ||
+ | < | ||
< | < | ||
< | < | ||
Line 156: | Line 169: | ||
< | < | ||
< | < | ||
- | < | + | < |
- | < | + | < |
- | < | + | < |
< | < | ||
< | < | ||
Line 241: | Line 254: | ||
< | < | ||
< | < | ||
- | < | + | < |
< | < | ||
< | < | ||
Line 249: | Line 262: | ||
< | < | ||
< | < | ||
- | < | + | < |
- | < | + | < |
< | < | ||
< | < | ||
< | < | ||
- | < | + | < |
- | < | + | < |
< | < | ||
< | < | ||
Line 266: | Line 279: | ||
++++ | ++++ | ||
+ | ++++mail server ports:| | ||
+ | * smtp {25} / (smtps) submissions {465} / submission {587} - (My mail server uses smtp / submission on ports 25 / 587 respectivily) | ||
+ | * imap {143} / imaps {993} - (My mail server uses starttls on port 143) | ||
+ | * pop3 {110} / pop3s {995} - who still uses pop3? | ||
+ | '' | ||
+ | ++++ | ||
===Some configuration notes=== | ===Some configuration notes=== | ||
Line 325: | Line 344: | ||
This only affects local networks that use NAT which is basically mandatory for IPv4 and not required for IPv6, hence unless NAT is used in a IPv6 local network hairpin. | This only affects local networks that use NAT which is basically mandatory for IPv4 and not required for IPv6, hence unless NAT is used in a IPv6 local network hairpin. | ||
- | * Whilst investigating this matter commentary it was often stated that this problem is better solved using DNS. I was some what confused by SSL certificate DNS verification, | + | * Whilst investigating this matter' |
\\ | \\ | ||
\\ | \\ |