Differences

This shows you the differences between two versions of the page.

--- linux_router:nftables [2024-06-16 Sun wk24 12:03] – [Router Configuration] baumkp
+++ linux_router:nftables [2025-03-02 Sun wk09 15:31] (current) – [NFTables Configuration] baumkp
@@ Line 1: / Line 1: @@
 {{tag>linux router NFtables firewall}}
 =====NFTables Configuration=====
-====Router Configuration====
+The best reference for nftables is at the dedicated wiki [[https://wiki.nftables.org/|wiki nftables]]. Some other references I found [[https://gist.github.com/wolfhechel/db7ed3be31feb104752e|nftables router]]. The reference at stosb is good, but not for a router [[https://stosb.com/blog/explaining-my-configs-nftables/|Explaining My Configs: nftables]]. [[https://blog.programster.org/nftables-cheatsheet|Nftables Cheatsheet]]
-A router performs the following key features:
-  - A gateway between different network areas
-    - Restrict network traffic
-    - Forward Network traffic
-    - Track network traffic, allows traffic incoming only if response to out going (one way traffic) This is primary firewall action and primary security action! This is often confused with NAT, NAT is additional to this!
-  - NAT (Network Address Translation) is basically mandatory for IPv4 due to limited address space and optional for IPv6
-    - NAT obfuscates Local IP addresses behind public addressable WAN IP address(es).  This obfuscation arguably provides some security. The key security is the restriction of gateway traffic into the LAN. See interesting notes on this from [[https://www.grc.com/nat/nat.htm|GRC NAT Router Security Solutions]], note that I do not necessarily agree with NAT being a primary security function.
-    - NAT obfuscation wrecks simple end to end IP addressing that is required for some services, e.g. VoIP.  This requires additional services to compensate, e.g. STUN/TURN services.
-Key networks services, such as DNS and DHCP are separate functions that a router may perform, although correct router setup is required to allow these services to function.
-The best reference for nftables is at the dedicated wiki [[https://wiki.nftables.org/|wiki nftables]]. Some other references I found [[https://gist.github.com/wolfhechel/db7ed3be31feb104752e|nftables router]]. The reference at stosb is good, but not for a router [[https://stosb.com/blog/explaining-my-configs-nftables/|Explaining My Configs: nftables]].
 After a lot of experimenting the following is my NFTables router configuration file. Create the following file called: "router.nft".
@@ Line 20: / Line 9: @@
   * ''sudo sysctl net.ipv4.ip_forward=1'' to set or =0 turn off
   * ''sudo sysctl net.ipv6.conf.all.forwarding=1'' similar for ipv6
+Also make permanent in ''/etc/sysctl.conf'', by ensuring ''net.ipv4.ip_forward = 1'' is indicated not commented
+====iptables====
+It is not a good idea to have both iptables and nftables rules setup at the same time.
+  *To check existing iptables rules: ''sudo iptables -S'', the output should be as follows, indicating no restrictions:
+<code text>-P INPUT ACCEPT
+-P FORWARD ACCEPT
+-P OUTPUT ACCEPT</code>
+  *The iptables rules can be flushed with ''sudo iptables -F''.
 ====Sample NFTables configuration====
@@ Line 296: / Line 294: @@
 Some key related commands:
   *To load a nft configuration file: ''sudo nft -f /etc/nftables.conf'' (not used for start configuration) (was router.nft?)
+    *Another option is to restart the nftables systemd service, ''sudo systemctl restart nftables.service''
+  *To test the configuration after modification ''sudo nft -c -f /etc/nftables.conf'', it will list errors in the configuration file, no errors will report blank.
   *The nftables configuration file can be made into an executable script as follows.
      *Add the following at the top of the file: