nftables is a facility in the Linux kernel which replaces the older iptables infrastructure and makes it somewhat easier to express rules for both IPv4 and IPv6 in parallel, where the same rule is desired.
Its CLI frontend tool is named nft.
Questions tagged [nftables]
53 questions
4
votes
1 answer
How does one create nftables rule that accepts connections from the same IPv6 subnet, when the IPv6 prefix is dynamic?
For IPv4, it is easy to create a rule that only accepts connections from hosts of the same subnet, for example (assuming my computer is 192.168.42.2, and the incoming connection is 192.168.42.20):
table ip firewall {
chain incoming {
…
Haden
- 43
- 3
4
votes
1 answer
iptables / nftables: Forward UDP data to multiple targets
I need to create iptables rules for the following scenario:
Different hosts send UDP data to host A. The target port is 1234.
Host A (8.2.3.4) redirects the received UDP data to hosts B1 (7.2.3.1), B2 (22.93.12.3), ... Bn (12.42.1.3); the IP…
Kevin Meier
- 153
- 1
- 5
3
votes
1 answer
nftables: How to get BROUTING behavior like ebtables legacy?
In ebtables, BROUTING chain in broute table has special behaviors for ACCEPT and DROP actions: ACCEPT means bridging/forward path and DROP means routing/input path. For example, to force all non-IPv6 packets to go through NAT, with the proper…
Charlie Jiang
- 33
- 5
3
votes
1 answer
Linux: only allow outgoing connections to specific domains
I have a CentOS server and only want to allow outgoing connections to specific domains. (allowlist) My thought was to have a DNS proxy which adds the allowed ips (only ipv4 needed) to nftable named sets. Is there an easy solution for this…
Alai
- 63
- 1
- 5
3
votes
1 answer
Match IPv6 protocol using nftables
In nftables I can use follwoing rule to match IPv4 UDP DNS packets.
ip protocol udp udp dport 53 accept
but IPv6 variant
ip6 protocol udp udp dport 53 accept
fails and nftables says
v0001.nft:39:5-12: Error: syntax error, unexpected protocol
ip6…
Misaz
- 586
- 3
- 9
- 23
3
votes
2 answers
Making routing decisions based on UID using nftables
I am trying to route packets based on the uid of of the originating process.
I know that PREROUTING is not hit for outgoing packets. In iptables there where a MANGLE table where you could place those rules inside the OUTPUT chain. nftables do not…
Alexander Theißen
- 145
- 1
- 6
2
votes
1 answer
nftables: How to stop further chain traversal after accept verdict
Context : https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
If a packet is accepted and there is another chain, bearing the same hook type and with a later priority, then the packet will subsequently traverse this other chain.…
tushars
- 21
- 1
2
votes
1 answer
How do I make a stateful bridge filewall with nftables?
The nftables wiki has an example, but it doesn't seem to work for me.
The page says that it should work since kernel 5.3, but it says "protocol error" when I try the exact commands from the page:
# nft add table bridge filter
# nft add chain bridge…
Thomas
- 569
- 5
- 16
2
votes
0 answers
Safe rule applying remotely using NFT
If you have experience, could you please advise how to safely apply firewall rules remotely on Linux using nft?
Particularly on Debian, we used for a long time iptables-apply(8) to safely apply remotely firewall rules to avoid lock out ourselves in…
FossilDaemon
- 29
- 1
2
votes
1 answer
Accept ip connections from address and port with already established connections
I have put in place a solution to open temporarily a port based on nft:
# create the nft set
nft add set ip filter SSHallowed { type ipv4_addr\; timeout 2m \;}
# add the rule to the table
nft insert rule ip filter INPUT ip saddr @SSHallowed tcp…
chronos
- 135
- 5
2
votes
0 answers
Blocking DHCP between two bridged home networks using nft
So my setup is as follows. I have two home networks and a server standing elsewhere. I'm running OpenVPN as a server, on the server to connect the two home networks into a single big network. Because I wanted everything to work transparently for all…
DerFlob
- 86
- 7
1
vote
1 answer
How to bypass the vpn tunnel for a single docker container using nftables?
I am trying to come up with a solution to bypass the vpn tunnel in the incoming and outgoing docker container.
The VPN I'm using is Mullvad VPN and in the split tunneling section they have addressed how to exclude outgoing traffic for certain ips.…
Farhood ET
- 111
- 4
1
vote
1 answer
How to ban with fail2ban and nftables
I have Debian 10, Fail2Ban v0.10.6 with iptables and my filter with works. Now I have Ubuntu 22.04, Fail2Ban v0.11.2 and I try to make it works with nftables. I added only jail.local for nftables. My configuration:
#…
vvkatwss vvkatwss
- 111
- 3
1
vote
0 answers
Linux conntrack not seeing multicast responses as part of the same flow
My tv (192.168.1.48) is multicasting an SSDP packet (to 239.255.255.250:1900), and on my server (192.168.1.17), by running smcroute and doing some packet mangling to increase the IP TTL of this multicast packet, I can get it routed to…
j0057
- 180
- 1
- 8
1
vote
1 answer
How to allow traffic over VPN across namespaces using nftables
I have a wireguard interface configured in a dedicated namespace vpn. It is configured first creating the interface in the main namespace (that has access to the physical interface routing to the Internet eno1), then moving the Wireguard interface…
rdbisme
- 420
- 5
- 17