nftables is a facility in the Linux kernel which replaces the older iptables infrastructure and makes it somewhat easier to express rules for both IPv4 and IPv6 in parallel, where the same rule is desired.
Its CLI frontend tool is named nft.
Questions tagged [nftables]
78 questions
7
votes
3 answers
How does one create nftables rule that accepts connections from the same IPv6 subnet, when the IPv6 prefix is dynamic?
For IPv4, it is easy to create a rule that only accepts connections from hosts of the same subnet, for example (assuming my computer is 192.168.42.2, and the incoming connection is 192.168.42.20):
table ip firewall {
chain incoming {
…
Haden
- 73
7
votes
1 answer
nftables: How to stop further chain traversal after accept verdict
Context : https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
If a packet is accepted and there is another chain, bearing the same hook type and with a later priority, then the packet will subsequently traverse this other chain.…
tushars
- 71
7
votes
1 answer
Match IPv6 protocol using nftables
In nftables I can use follwoing rule to match IPv4 UDP DNS packets.
ip protocol udp udp dport 53 accept
but IPv6 variant
ip6 protocol udp udp dport 53 accept
fails and nftables says
v0001.nft:39:5-12: Error: syntax error, unexpected protocol
ip6…
Misaz
- 666
- 3
- 11
- 24
5
votes
1 answer
nftables: How to get BROUTING behavior like ebtables legacy?
In ebtables, BROUTING chain in broute table has special behaviors for ACCEPT and DROP actions: ACCEPT means bridging/forward path and DROP means routing/input path. For example, to force all non-IPv6 packets to go through NAT, with the proper…
Charlie Jiang
- 53
- 2
- 6
5
votes
1 answer
iptables / nftables: Forward UDP data to multiple targets
I need to create iptables rules for the following scenario:
Different hosts send UDP data to host A. The target port is 1234.
Host A (8.2.3.4) redirects the received UDP data to hosts B1 (7.2.3.1), B2 (22.93.12.3), ... Bn (12.42.1.3); the IP…
Kevin Meier
- 163
4
votes
2 answers
Making routing decisions based on UID using nftables
I am trying to route packets based on the uid of of the originating process.
I know that PREROUTING is not hit for outgoing packets. In iptables there where a MANGLE table where you could place those rules inside the OUTPUT chain. nftables do not…
3
votes
0 answers
IPsec tunnel established, nmap working but unable to ping
I have this Ubuntu VM on my network which is supposed to concentrate traffic towards a VPN and route it through it. Now, what happens is (although nothing has changed in configurations, except for Ubuntu updates which might have screwed some…
didrocks66
- 53
3
votes
1 answer
What is the default verdict for nftables rule?
For example:
#!/usr/sbin/nft -f
add table ip filter_4
add chain ip filter_4 input {
type filter hook input priority filter; policy drop;
}
add chain ip filter_4 new_in_4 {
comment "New input IPv4 traffic"
}
# Note it's goto not jump!…
metablaster
- 296
3
votes
1 answer
Linux: only allow outgoing connections to specific domains
I have a CentOS server and only want to allow outgoing connections to specific domains. (allowlist) My thought was to have a DNS proxy which adds the allowed ips (only ipv4 needed) to nftable named sets. Is there an easy solution for this…
Alai
- 83
- 1
- 1
- 5
2
votes
2 answers
NFTables Doesn't Route Packets To Another Address
I am very new to this, so, sorry if I misquote something. I have a Debian 12 laptop, which has 1 Ethernet NIC (eth3) by itself and 1 USB Ethernet NIC (ethx) I bought. I connect the system as shown below:
Device One --> eth3 --> Debian 12 Laptop…
froinchi
- 21
2
votes
0 answers
redirect local requests to ip to other ip (linux - e.g. debian >= 10)
I want to all request to a certain IP:port on the machine A its self (for a current or rather 10/11/12) to another IP = machine B so that requests from processes on machine A are forwarded to machine B with IP B.
Machine A can reach the network of…
LeifSec
- 113
2
votes
1 answer
How to redirect traffic from container A to container B when using the address of the external interface
Following a short/simplified diagram of my setup (sorry for the title):
Internet ----- eth0 (1.2.3.4) --- br0 (10.0.0.1)
|
+---------------+---------------+
| …
mageta
- 161
2
votes
1 answer
How do I make a stateful bridge filewall with nftables?
The nftables wiki has an example, but it doesn't seem to work for me.
The page says that it should work since kernel 5.3, but it says "protocol error" when I try the exact commands from the page:
# nft add table bridge filter
# nft add chain bridge…
Thomas
- 619
2
votes
0 answers
Should I allow IGMP traffic on my workstation, home server or a hosted VPS?
I'm new to firewall configuration and I've been reading some theory and studying example configurations. One thing that I noticed is that many of those examples allow IGMP packets.
The Wikipedia article is a bit vague on that:
IGMP is vulnerable to…
Igor Bubelov
- 121
2
votes
1 answer
How do I install iptables-translate?
I'm on a CentOS 7 machine. I'd like to try the use of nftables. Many sites reference iptables-translate as a helpful tool for translating from iptables to nftables rules. I've installed the nftables.x86_64 package and have the nft command, but I…
firebush
- 469