On Monday, 05-08-2024 at 17:25 Michel Verdier wrote:
> On 2024-08-04, George at Clug wrote:
>
> > I think I finally have success (had to fix way too many typos).
> >
> > Please review, and please comment if it can be improved.
>
> Don't fix typo and instead rewrite your rules with nftables
> https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
> It's so much easier and cleaner with nftables :)
>
>
Thanks for the link, Michel, it had an interesting translation commands which I
put to good use.
There will be some new learning if I am going to be able to do as it suggests,
"implement new nftables mechanisms such as sets, maps, verdict maps,
concatenations and more".
Down below is the output of the translation commands for my Iptables commands.
Interesting but again, I will need to learn what this means, it does not look
self explanatory. But hopefully, like everything computer related, it is
usually not that complex, just you need to understand the new syntax and how to
use it.
I am also a bit concerned about the statement "table ip nat", I do not want
[e.g. need] any Network Address Translation occurring.
As with all new systems, it is best to start at the beginning with the simple,
then build on that. Anyway, something to amuse myself with.
George.
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/security_guide/sec-creating_and_managing_nftables_tables_chains_and_rules#sec-Creating_an_nftables_table
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking
https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management
https://wiki.nftables.org/wiki-nftables/index.php/Scripting
https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" counter packets 0 bytes 0 accept
iifname "enp1s0" ct state established,related counter packets
243 bytes 27964 accept
iifname "enp1s0" ct state new tcp dport 22 counter packets 0
bytes 0 accept
iifname "enp1s0" ct state new tcp dport 25565 counter packets 0
bytes 0 accept
iifname "enp1s0" ct state new tcp dport 8123 counter packets 0
bytes 0 accept
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
oifname "lo" counter packets 0 bytes 0 accept
oifname "enp1s0" ct state established,related counter packets
189 bytes 33916 accept
oifname "enp1s0" ct state new udp dport 53 counter packets 16
bytes 984 accept
oifname "enp1s0" ct state new tcp dport { 22, 53, 80, 123, 443
} counter packets 9 bytes 540 accept
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
}
chain INPUT {
type filter hook input priority mangle; policy accept;
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
}
