{"id":478,"date":"2024-05-23T21:45:11","date_gmt":"2024-05-23T11:45:11","guid":{"rendered":"https:\/\/www.drogueship.com\/?p=478"},"modified":"2024-05-23T22:18:32","modified_gmt":"2024-05-23T12:18:32","slug":"nftables-examples","status":"publish","type":"post","link":"https:\/\/www.drogueship.com\/index.php\/2024\/05\/23\/nftables-examples\/","title":{"rendered":"Nftables examples"},"content":{"rendered":"\n<p>These nftables firewall examples are from my previous house and all require ipv4.forward to be enabled in \/etc\/sysctl.conf as well as runing a dhcp server when plugging into an existing routers WAN port.<\/p>\n\n\n\n<p>This allowed me to use raspberry pi&#8217;s and usb network adaptors instead of more permanent hardware<\/p>\n\n\n\n<p>The first and last examples were between the nbn box and the internet service providers supplied router. It ended up with some ipv6 and nftables rules in the final one<\/p>\n\n\n\n<p>There are some port forwards, with a few different conditions explained in the comments<\/p>\n\n\n\n<p>There are rules for a few dodgy packets but this is possibly not the ideal way of doing it all but are provided as samples for those googling the subject, hi<\/p>\n\n\n\n<p><strong>This one was for going between the router and nbn box using a usb network card for the wan connection<\/strong>. <\/p>\n\n\n\n<p><br \/>#!\/sbin\/nft -f<br \/><br \/>flush ruleset<br \/><br \/>table ip filter {<br \/> # allow all packets sent by the firewall machine itself<br \/> <strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>chain output {<br \/> <strong>&nbsp;&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp; <\/strong>type filter hook output priority 100; policy accept;<br \/> <strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>}<br \/> # allow LAN to firewall, disallow WAN to firewall<br \/><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong> chain input { type filter hook input priority 0; policy drop;<br \/><strong>&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp; <\/strong> iifname &#8220;eth0&#8221; counter accept comment &#8220;accept eth0&#8221;<br \/><strong>&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp; <\/strong> iifname &#8220;eth1&#8221; ct state established,related counter accept comment &#8220;accept traffic from us&#8221;<br \/> <strong>&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp; <\/strong>iifname &#8220;wlan0&#8221; counter accept comment &#8220;accept wlan0&#8221;<br \/><strong>&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp; <\/strong> iif lo counter accept comment &#8220;accept loopback&#8221;<br \/><strong>&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp; <\/strong> iif != lo ip daddr 127.0.0.1\/8 counter drop comment &#8220;drop connections to loopback not coming from loopback&#8221;<br \/><strong>&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp; <\/strong> ip protocol icmp counter accept comment &#8220;accept all ICMP types&#8221;<br \/><strong>&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp; <\/strong> iifname &#8220;eth1&#8221; tcp dport 22 counter accept comment &#8220;accept SSH&#8221;<br \/><strong>&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp; <\/strong> counter comment &#8220;count dropped packets&#8221;<br \/><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>}<br \/># allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection<br \/><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>chain forward {<br \/><strong>&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp;&nbsp; <\/strong> type filter hook forward priority 0; policy drop;<br \/><strong>&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp; <\/strong> iifname &#8220;eth0&#8221; oifname &#8220;eth1&#8221; counter accept comment &#8220;eth0 to eth1&#8221;<br \/><strong>&nbsp;&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp; <\/strong> iifname &#8220;eth0&#8221; oifname &#8220;wlan0&#8221; counter accept comment &#8220;eth0 to wlan0&#8221;<br \/><strong>&nbsp;&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp; <\/strong> iifname &#8220;eth1&#8221; oifname &#8220;eth0&#8221; ct state related,established counter accept comment &#8220;external to eth0&#8221;<br \/><strong>&nbsp;&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp; <\/strong> counter comment &#8220;count dropped packets&#8221;<br \/><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong> }<br \/>}<br \/>table ip nat {<br \/> <strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>chain early_packet_filter {<br \/>&nbsp; &nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp;# prio -150 is before pre routing in nat table and after connection tracking (-200)}<br \/><strong>&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp; <\/strong> type filter hook prerouting priority -150; policy accept;<br \/>&nbsp;&nbsp; &nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp;&nbsp;# drop badly formed packets<br \/>&nbsp;&nbsp;&nbsp; <strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp;&nbsp;ct state invalid drop<br \/><strong>&nbsp;&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp; <\/strong> tcp flags &amp; (fin|syn|rst|ack) != syn ct state new drop<br \/><strong>&nbsp;&nbsp;<strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>&nbsp;&nbsp;&nbsp;&nbsp; <\/strong> tcp flags &amp; (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg drop<br \/>&nbsp;&nbsp;&nbsp;&nbsp;       &nbsp;&nbsp;&nbsp; tcp flags &amp; (fin|syn|rst|psh|ack|urg) == 0x0 drop<br \/><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>        tcp flags syn tcp option maxseg size 1-536 drop<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br \/>chain prerouting {<br \/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;type nat hook prerouting priority 0; policy accept;<br \/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# exceptions<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;iifname &#8220;eth1&#8221; tcp dport 23 dnat to 192.168.4.80:22 comment &#8220;port forward 23 to router ssh&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;eth1&#8221; tcp dport 443 dnat to 192.168.4.80:443 comment &#8220;port forward 443 to router&#8221;<br \/>}<br \/># for all packets to WAN, after routing, replace source address with primary IP of WAN interface<br \/>chain postrouting {<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;type nat hook postrouting priority 100; policy accept;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;oifname &#8220;eth1&#8221; counter masquerade comment &#8220;masquerade&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<br \/>}<br \/><br \/><\/p>\n\n\n\n<p><strong>butles was using a usb WiFi adaptor for the internet (wlan1) on board WiFi for a gopro network (wlan0) and wired connection to the garages router&#8217;s wan port (eth0)<br \/><\/strong><\/p>\n\n\n\n<p>#!\/sbin\/nft -f<br \/><br \/>flush ruleset<br \/><br \/>table ip filter {<br \/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# allow all packets sent by the firewall machine itself<br \/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;chain output {<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type filter hook output priority 100; policy accept;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # allow LAN to firewall, disallow WAN to firewall<br \/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;chain input {<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type filter hook input priority 0; policy drop;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;wlan0&#8221; counter accept comment &#8220;accept wlan0&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;wlan1&#8221; ct state established,related counter accept comment &#8220;accept traffic from us&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;eth0&#8221; counter accept comment &#8220;accept eth0&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iif lo counter accept comment &#8220;accept loopback&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iif != lo ip daddr 127.0.0.1\/8 counter drop comment &#8220;drop connections to loopback not coming from loopback&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ip protocol icmp counter accept comment &#8220;accept all ICMP types&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;wlan1&#8221; ip saddr 192.168.1.0\/24 tcp dport 22 counter accept comment &#8220;accept SSH from garage&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;wlan1&#8221; ip saddr 192.168.1.0\/24 tcp dport 5000 counter accept comment &#8220;accept OCTOPRINT&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;wlan1&#8221; ip saddr 192.168.1.0\/24 tcp dport 8080 counter accept comment &#8220;accept WEBCAM&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;wlan1&#8221; ip saddr 192.168.2.0\/24 tcp dport 24800 counter accept comment &#8220;accept SYNERGY from routers wan port&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; counter comment &#8220;count dropped packets&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br \/># allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; chain forward {<br \/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;type filter hook forward priority 0; policy drop;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;wlan0&#8221; oifname &#8220;wlan1&#8221; counter accept comment &#8220;eth0 to wlan1&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;eth0&#8221; oifname &#8220;wlan1&#8221; counter accept comment &#8220;eth0 to wlan1&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;eth0&#8221; oifname &#8220;wlan0&#8221; counter accept comment &#8220;eth0 to wlan0&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;wlan1&#8221; oifname &#8220;wlan0&#8221; ct state related,established counter accept comment &#8220;external to wlan0&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iifname &#8220;wlan1&#8221; oifname &#8220;eth0&#8221; ct state related,established counter accept comment &#8220;external to eth0&#8221;<br \/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;counter comment &#8220;count dropped packets&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br \/>}<br \/>table ip nat {<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; chain early_packet_filter {<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # prio -150 is before pre routing in nat table and after connection tracking (-200)}<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type filter hook prerouting priority -150; policy accept;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # drop badly formed packets<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ct state invalid drop<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tcp flags &amp; (fin|syn|rst|ack) != syn ct state new drop<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tcp flags &amp; (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg drop<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tcp flags &amp; (fin|syn|rst|psh|ack|urg) == 0x0 drop<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tcp flags syn tcp option maxseg size 1-536 drop<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br \/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;chain prerouting {<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type nat hook prerouting priority 0; policy accept;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br \/><br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # for all packets to WAN, after routing, replace source address with primary IP of WAN interface<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; chain postrouting {<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type nat hook postrouting priority 100; policy accept;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; oifname &#8220;wlan1&#8221; counter masquerade comment &#8220;masquerade&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br \/>}<\/p>\n\n\n\n<p><br \/><strong>backup of pppoe nbn. Needed a vlan id and authenticati<\/strong>on <strong>copied from supplied routers admin page. Also includes fail2ban and ipv6<\/strong><\/p>\n\n\n\n<p>#!\/sbin\/nft -f<br \/><br \/>flush ruleset<br \/>include &#8220;\/etc\/nftables\/fail2ban.conf&#8221;<br \/><br \/>table ip fail2ban {<br \/>&nbsp;&nbsp;&nbsp; chain input {<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type filter hook input priority 100;<br \/>&nbsp;&nbsp;&nbsp; }<br \/>}<br \/><br \/>table ip filter {<br \/>&nbsp;&nbsp;&nbsp; # allow all packets sent by the firewall machine itself<br \/>&nbsp;&nbsp;&nbsp; chain output {<br \/>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; type filter hook output priority 100; policy accept;<br \/>&nbsp;&nbsp;&nbsp; }<br \/><br \/>&nbsp;&nbsp;&nbsp; # allow LAN to firewall, disallow WAN to firewall<br \/>&nbsp;&nbsp;&nbsp; chain input { type filter hook input priority 0; policy drop;<br \/>&nbsp;&nbsp;&nbsp; iifname &#8220;eth0&#8221; counter accept comment &#8220;accept eth0&#8221;<br \/>&nbsp;&nbsp;&nbsp; iifname &#8220;eth1&#8221; counter accept comment &#8220;accept eth1&#8221;<br \/>&nbsp;&nbsp;&nbsp; iifname &#8220;ppp0&#8221; ct state established,related counter accept comment &#8220;accept traffic back from us&#8221;<br \/>&nbsp;&nbsp;&nbsp; #iifname &#8220;ppp0&#8221; counter accept comment &#8220;accept traffic from us&#8221;<br \/>&nbsp;&nbsp;&nbsp; iifname &#8220;wlan0&#8221; counter accept comment &#8220;accept wlan0&#8221;<br \/>&nbsp;&nbsp;&nbsp; iif lo counter accept comment &#8220;accept loopback&#8221;<br \/>&nbsp;&nbsp;&nbsp; iif != lo ip daddr 127.0.0.1\/8 counter drop comment &#8220;drop connections to loopback not coming from loopback&#8221;<br \/>&nbsp;&nbsp;&nbsp; ip protocol icmp counter accept comment &#8220;accept all ICMP types&#8221;<br \/>&nbsp;&nbsp;&nbsp; iifname &#8220;ppp0&#8221; tcp dport 22 counter accept comment &#8220;accept SSH&#8221;<br \/>&nbsp;&nbsp;&nbsp; iifname &#8220;ppp0&#8221; tcp dport 23 counter accept comment &#8220;accept SSH to slab&#8221;<br \/>&nbsp;&nbsp;&nbsp; iifname &#8220;ppp0&#8221; tcp dport 443 counter accept comment &#8220;accept HTTPS to slab&#8221;<br \/>&nbsp;&nbsp;&nbsp; counter comment &#8220;count dropped packets&#8221;<br \/>}<br \/># allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection<br \/>chain forward {<br \/>&nbsp;&nbsp;&nbsp; type filter hook forward priority 0; policy drop;<br \/>&nbsp;&nbsp;&nbsp; iifname &#8220;eth0&#8221; oifname &#8220;ppp0&#8221; counter accept comment &#8220;eth0 to eth1&#8221;<br \/>&nbsp;&nbsp;&nbsp; iifname &#8220;eth0&#8221; oifname &#8220;wlan0&#8221; counter accept comment &#8220;eth0 to wlan0&#8221;<br \/>&nbsp;&nbsp;&nbsp; iifname &#8220;ppp0&#8221; oifname &#8220;eth0&#8221; ct state related,established counter accept comment &#8220;external to eth0&#8221;<br \/>&nbsp;&nbsp;&nbsp; counter comment &#8220;count dropped packets&#8221;<br \/>&nbsp;&nbsp;&nbsp; }<br \/>}<br \/>table ip nat {<br \/>&nbsp;&nbsp;&nbsp; chain early_packet_filter {<br \/>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; # prio -150 is before pre routing in nat table and after connection tracking (-200)}<br \/>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; type filter hook prerouting priority -150; policy accept;<br \/>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; # drop badly formed packets<br \/>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; ct state invalid drop<br \/>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp flags &amp; (fin|syn|rst|ack) != syn ct state new drop<br \/>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp flags &amp; (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg drop<br \/>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp flags &amp; (fin|syn|rst|psh|ack|urg) == 0x0 drop<br \/>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp flags syn tcp option maxseg size 1-536 drop<br \/>&nbsp;&nbsp;&nbsp; }<br \/>&nbsp;&nbsp;&nbsp; chain prerouting {<br \/>&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; type nat hook prerouting priority 0; policy accept;<br \/>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; # exceptions<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; iifname &#8220;ppp0&#8221; tcp dport 23 dnat to 192.168.4.80:22 comment &#8220;port forward 23 to router ssh&#8221;<br \/>&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; iifname &#8220;ppp0&#8221; tcp dport 443 dnat to 192.168.4.80:443 comment &#8220;port forward 443 to router&#8221;<br \/>&nbsp;&nbsp;&nbsp; }<br \/><br \/># for all packets to WAN, after routing, replace source address with primary IP of WAN interface<br \/>&nbsp;&nbsp;&nbsp; chain postrouting {<br \/>&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; type nat hook postrouting priority 100; policy accept;<br \/>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; oifname &#8220;ppp0&#8221; counter masquerade comment &#8220;masquerade&#8221;<br \/>&nbsp;&nbsp;&nbsp; }<br \/>}<br \/><br \/>table ip6 firewall {<br \/>&nbsp; chain incoming {<br \/>&nbsp;&nbsp;&nbsp; type filter hook input priority 0;<br \/><br \/>&nbsp;&nbsp;&nbsp; # established\/related connections<br \/>&nbsp;&nbsp;&nbsp; ct state established,related accept<br \/><br \/>&nbsp;&nbsp;&nbsp; # invalid connections<br \/>&nbsp;&nbsp;&nbsp; ct state invalid drop<br \/><br \/>&nbsp;&nbsp;&nbsp; # loopback interface<br \/>&nbsp;&nbsp;&nbsp; iifname lo accept<br \/><br \/>&nbsp;&nbsp;&nbsp; # icmp<br \/>&nbsp;&nbsp;&nbsp; icmpv6 type {echo-request,nd-neighbor-solicit,nd-router-solicit,mld-listener-query} accept<br \/><br \/>&nbsp;&nbsp;&nbsp; # drop everything else<br \/>&nbsp;&nbsp;&nbsp; drop<br \/>&nbsp; }<br \/>}<\/p>\n","protected":false},"excerpt":{"rendered":"<p>These nftables firewall examples are from my previous house and all require ipv4.forward to be enabled in \/etc\/sysctl.conf as well as runing a dhcp server when plugging into an existing routers WAN port. This allowed me to use raspberry pi&#8217;s and usb network adaptors instead of more permanent hardware The first and last examples were [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[68,14],"tags":[],"class_list":["post-478","post","type-post","status-publish","format-standard","hentry","category-linux","category-raspberry-pi"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.drogueship.com\/index.php\/wp-json\/wp\/v2\/posts\/478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.drogueship.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.drogueship.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.drogueship.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.drogueship.com\/index.php\/wp-json\/wp\/v2\/comments?post=478"}],"version-history":[{"count":8,"href":"https:\/\/www.drogueship.com\/index.php\/wp-json\/wp\/v2\/posts\/478\/revisions"}],"predecessor-version":[{"id":487,"href":"https:\/\/www.drogueship.com\/index.php\/wp-json\/wp\/v2\/posts\/478\/revisions\/487"}],"wp:attachment":[{"href":"https:\/\/www.drogueship.com\/index.php\/wp-json\/wp\/v2\/media?parent=478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.drogueship.com\/index.php\/wp-json\/wp\/v2\/categories?post=478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.drogueship.com\/index.php\/wp-json\/wp\/v2\/tags?post=478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}