LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Blogs > kakistocrat
Reload this Page Basic NFTables Ruleset
User Name
Password

Notices


Rate this Entry

Basic NFTables Ruleset

Posted 09-27-2024 at 05:46 AM by kakistocrat
Updated 01-05-2025 at 03:15 AM by kakistocrat
Here is a basic NFTables ruleset, stored here for future reference. It'll probably get updated over time as new knowledge and ideas turn up — if I remember.

Code:
#!/usr/sbin/nft -f

flush ruleset

table ip filter4 {
	set blacklist4 {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { xx.yy.zz/22 }
	}

	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 counter accept
		ip saddr @blacklist4 counter reject
		ct state established,related counter accept
		icmp type echo-request limit rate 1/second counter accept
		tcp dport 22 ct state new limit rate 4/minute counter accept
		counter reject
	}

	chain output {
		type filter hook output priority filter; policy drop;
		oif "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 counter accept
		ip daddr @blacklist4 counter reject
		ip protocol tcp counter accept
		ip protocol udp counter accept
		ip protocol icmp counter accept
		counter reject
	}
}
table ip6 filter6 {
	set blacklist6 {
		type ipv6_addr
		flags interval
		auto-merge
		elements = { xxxx:yyyy::/32 }
	}

	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" ip6 saddr ::1 ip6 daddr ::1 counter accept
		ip6 saddr @blacklist6 counter reject
		ct state established,related counter accept
		meta l4proto ipv6-icmp accept
		icmpv6 type echo-request limit rate 1/second counter accept
		tcp dport 22 ct state new limit rate 4/minute counter accept
		counter reject
	}

	chain output {
		type filter hook output priority filter; policy drop;
		oif "lo" ip6 saddr ::1 ip6 daddr ::1 counter accept
		ip6 nexthdr tcp counter accept
		ip6 nexthdr udp counter accept
		ip6 nexthdr ipv6-icmp counter accept
		counter reject
	}
}
The blacklist4/whitelist4 and blacklist6/whitelist6 block offending IPv4 and IPv6 addresses and networks respectively.

Perl, Python, or even AWK scripts can then easily add to either set.

Code:
nft add element filter4 blacklist4 "{ 185.60.216.0/22 }";
Edit: Updated for better IPv6 support.
Posted in Uncategorized
Views 524 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 11:11 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration