oBuTr471b · February 8, 2021 04:22
diff --git a/nft2: basic SPI firewall b/nft2: basic SPI firewall
 # In The Name Of Allah .
 # -- --- ---- -- ----- -
 # Fri Jan 22 05:48:48 2021
 # Written By : zer0err0r .
 # ======= == = ========= =

 # 2, Lets Create A Basic SPI Firewall .
  = We will create a new [table], then a [chain], Then define our [rules] .
  = The ruleset that we will write represent a basic stateful_packet_inspection[SPI] firewall .

  # First, Create a table :
    $ nft add table inet filter

    # As you see :
      = We said that NFTables doesnt come with a predefined chains ,
      = So, It looks that it doesnt become with predefined tables too .
      = The previous line define a new table and name it [filter] .
      = You can change this name if you wanted too, But we want it to be similar to IPTables so it can be familier .

    # Also :
      = The [inet] represent ipv4 and ipv6 .

  
  # Then, Create a chain :
    $ nft add chain inet filter input { type filter hook input priority 0 \; policy accept \; }

    # As you see :
      = [input] is just a name for the chain, We called it that so it looks like the IPTables INPUT chain .
      = The semi_colon are escaped with back_slash to avoid being expanded by bash .
    
    # Also :
      = The chain [type] is set to [filter] .
      = Other values of [type] are [route, nat] .

      # Notice :
        = In IPTables, The table is the one that is defined as [filter, route, nat...] , 
        = In NFTables, We define this on the chain .

    # Also :
      = The [hook] family is set to [input] .
      = Other values of [hook] are [prerouting, forward, output, postrouting, ingress] .

    # Also :
      = [policy accept] represent the policy of this chain, Which [accept] all connections by default .
      = To drop we do [drop] .
      = Using [accept] instead of [drop] avoids terminating active SSH connections .

    # For more details about them go to :
      $ man nft

  
  # Finally, Lets create our ruleset :
    $ nft add rule inet filter input iif lo accept 
    $ nft add rule inet filter input ct state established,related accept
    $ nft add rule inet filter input tcp dport 22 accept
    $ nft add rule inet filter input counter drop

    # As you see :
      = This is a basic firewall ruleset .
      = Its the NFTables version of centos6 default stateful_packet_inspection[SPI] ruleset .

    # First line :
      = Allows traffic on loopback interface .

    # Second line :
      = Allows incoming[inbound] traffic based on outbound requests .

    # Third line :
      = Allows inbound SSH traffic on TCP port [22] .
      = This line allows [NEW] SSH connections instead of allowing only [established, related] SSH connections .

    # Fourth line :
      = [drop]s all remaining packets, And add a [count]er to view those packets .
  
  
  # Again, These are our NFTables commands :
    $ nft flush ruleset
    $ nft add table inet filter
    $ nft add chain inet filter input { type filter hook input priority 0 \; policy accept \; }
    $ nft add rule inet filter input iif lo accept 
    $ nft add rule inet filter input ct state established,related accept
    $ nft add rule inet filter input tcp dport 22 accept
    $ nft add rule inet filter input counter drop

    # In IPTables, This represent :
      $ iptables -P INPUT ACCEPT
      $ iptables -F
      $ iptables -A INPUT -i lo -j ACCEPT
      $ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      $ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
      $ iptables -P INPUT DROP
      $ iptables -P FORWARD DROP
      $ iptables -P OUTPUT ACCEPT


  # Then, Lets review them .
    $ nft list ruleset
      table inet filter {
        chain input {
          type filter hook input priority filter; policy accept;
          iif "lo" accept
          ct state established,related accept
          tcp dport 22 accept
          counter packets 14 bytes 1847 drop
        }
      }

 # ===== == ==== ======== =
 # Peace Be Up0n Muhammed .
	# In The Name Of Allah .
	# -- --- ---- -- ----- -
	# Fri Jan 22 05:48:48 2021
	# Written By : zer0err0r .
	# ======= == = ========= =

	# 2, Lets Create A Basic SPI Firewall .
	= We will create a new [table], then a [chain], Then define our [rules] .
	= The ruleset that we will write represent a basic stateful_packet_inspection[SPI] firewall .

	# First, Create a table :
	$ nft add table inet filter

	# As you see :
	= We said that NFTables doesnt come with a predefined chains ,
	= So, It looks that it doesnt become with predefined tables too .
	= The previous line define a new table and name it [filter] .
	= You can change this name if you wanted too, But we want it to be similar to IPTables so it can be familier .

	# Also :
	= The [inet] represent ipv4 and ipv6 .


	# Then, Create a chain :
	$ nft add chain inet filter input { type filter hook input priority 0 \; policy accept \; }

	# As you see :
	= [input] is just a name for the chain, We called it that so it looks like the IPTables INPUT chain .
	= The semi_colon are escaped with back_slash to avoid being expanded by bash .

	# Also :
	= The chain [type] is set to [filter] .
	= Other values of [type] are [route, nat] .

	# Notice :
	= In IPTables, The table is the one that is defined as [filter, route, nat...] ,
	= In NFTables, We define this on the chain .

	# Also :
	= The [hook] family is set to [input] .
	= Other values of [hook] are [prerouting, forward, output, postrouting, ingress] .

	# Also :
	= [policy accept] represent the policy of this chain, Which [accept] all connections by default .
	= To drop we do [drop] .
	= Using [accept] instead of [drop] avoids terminating active SSH connections .

	# For more details about them go to :
	$ man nft


	# Finally, Lets create our ruleset :
	$ nft add rule inet filter input iif lo accept
	$ nft add rule inet filter input ct state established,related accept
	$ nft add rule inet filter input tcp dport 22 accept
	$ nft add rule inet filter input counter drop

	# As you see :
	= This is a basic firewall ruleset .
	= Its the NFTables version of centos6 default stateful_packet_inspection[SPI] ruleset .

	# First line :
	= Allows traffic on loopback interface .

	# Second line :
	= Allows incoming[inbound] traffic based on outbound requests .

	# Third line :
	= Allows inbound SSH traffic on TCP port [22] .
	= This line allows [NEW] SSH connections instead of allowing only [established, related] SSH connections .

	# Fourth line :
	= [drop]s all remaining packets, And add a [count]er to view those packets .


	# Again, These are our NFTables commands :
	$ nft flush ruleset
	$ nft add table inet filter
	$ nft add chain inet filter input { type filter hook input priority 0 \; policy accept \; }
	$ nft add rule inet filter input iif lo accept
	$ nft add rule inet filter input ct state established,related accept
	$ nft add rule inet filter input tcp dport 22 accept
	$ nft add rule inet filter input counter drop

	# In IPTables, This represent :
	$ iptables -P INPUT ACCEPT
	$ iptables -F
	$ iptables -A INPUT -i lo -j ACCEPT
	$ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	$ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
	$ iptables -P INPUT DROP
	$ iptables -P FORWARD DROP
	$ iptables -P OUTPUT ACCEPT


	# Then, Lets review them .
	$ nft list ruleset
	table inet filter {
	chain input {
	type filter hook input priority filter; policy accept;
	iif "lo" accept
	ct state established,related accept
	tcp dport 22 accept
	counter packets 14 bytes 1847 drop
	}
	}

	# ===== == ==== ======== =
	# Peace Be Up0n Muhammed .