Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux_router:nftables [2024-09-21 Sat wk38 20:18] – [Sample NFTables configuration] baumkplinux_router:nftables [2025-03-02 Sun wk09 15:31] (current) – [NFTables Configuration] baumkp
Line 1: Line 1:
 {{tag>linux router NFtables firewall}} {{tag>linux router NFtables firewall}}
 =====NFTables Configuration===== =====NFTables Configuration=====
-The best reference for nftables is at the dedicated wiki [[https://wiki.nftables.org/|wiki nftables]]. Some other references I found [[https://gist.github.com/wolfhechel/db7ed3be31feb104752e|nftables router]]. The reference at stosb is good, but not for a router [[https://stosb.com/blog/explaining-my-configs-nftables/|Explaining My Configs: nftables]].+The best reference for nftables is at the dedicated wiki [[https://wiki.nftables.org/|wiki nftables]]. Some other references I found [[https://gist.github.com/wolfhechel/db7ed3be31feb104752e|nftables router]]. The reference at stosb is good, but not for a router [[https://stosb.com/blog/explaining-my-configs-nftables/|Explaining My Configs: nftables]]. [[https://blog.programster.org/nftables-cheatsheet|Nftables Cheatsheet]]
  
 After a lot of experimenting the following is my NFTables router configuration file. Create the following file called: "router.nft". After a lot of experimenting the following is my NFTables router configuration file. Create the following file called: "router.nft".
Line 9: Line 9:
   * ''sudo sysctl net.ipv4.ip_forward=1'' to set or =0 turn off   * ''sudo sysctl net.ipv4.ip_forward=1'' to set or =0 turn off
   * ''sudo sysctl net.ipv6.conf.all.forwarding=1'' similar for ipv6    * ''sudo sysctl net.ipv6.conf.all.forwarding=1'' similar for ipv6 
 +Also make permanent in ''/etc/sysctl.conf'', by ensuring ''net.ipv4.ip_forward = 1'' is indicated not commented
 ====iptables==== ====iptables====
 It is not a good idea to have both iptables and nftables rules setup at the same time. It is not a good idea to have both iptables and nftables rules setup at the same time.
-  *To check existing iptables rules: ''sudo iptables -S'', the output should be as floows, indicating no restrictions: +  *To check existing iptables rules: ''sudo iptables -S'', the output should be as follows, indicating no restrictions: 
-<code>-P INPUT ACCEPT+<code text>-P INPUT ACCEPT
 -P FORWARD ACCEPT -P FORWARD ACCEPT
 -P OUTPUT ACCEPT</code> -P OUTPUT ACCEPT</code>
 +  *The iptables rules can be flushed with ''sudo iptables -F''.
  
 ====Sample NFTables configuration==== ====Sample NFTables configuration====
Line 292: Line 294:
  
 Some key related commands: Some key related commands:
-  *To load a nft configuration file: ''sudo nft -f /etc/nftables.conf'' (not used for start configuration) (was router.nft?)+  *To load a nft configuration file: ''sudo nft -f /etc/nftables.conf'' (not used for start configuration) (was router.nft? 
 +    *Another option is to restart the nftables systemd service, ''sudo systemctl restart nftables.service'' 
 +  *To test the configuration after modification ''sudo nft -c -f /etc/nftables.conf'', it will list errors in the configuration file, no errors will report blank.
   *The nftables configuration file can be made into an executable script as follows.   *The nftables configuration file can be made into an executable script as follows.
      *Add the following at the top of the file:      *Add the following at the top of the file: