Configurar nftables servidores
El archivo de nftables se encuentra en /etc/nftables.conf
Para activar el servicio ejecutaremos
systemctl enable nftables
Para iniciarlo, ejecutaremos
systemctl start nftables
O bien
service nftables start
Ejemplo práctico de configuración de nftables para un servidor
Ejemplo de nftables que permite web y correo desde cualquier IP, y bloquea el ssh a una serie de IP predefinidas.
#!/usr/sbin/nft -f
flush ruleset
# `inet` applies to both IPv4 and IPv6.
table inet filter {
set management_ips_ipv4 {
type ipv4_addr
flags interval
elements = {A.B.C.D/26,
F.G.H.I/23,
J.K.L.M/24,
N.O.P.R}
}
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# no ping floods:
ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
# accept traffic originated from us
ct state established,related accept
# accept ICMP & IGMP
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { echo-request, destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
ip protocol igmp accept
# ssh
#tcp dport 22 accept
tcp dport {22} ip saddr @management_ips_ipv4 accept
# http/https
tcp dport 80 accept
tcp dport 443 accept
# smtp/submission
tcp dport 25 accept
tcp dport 587 accept
tcp dport 465 accept
# pop3/pop3s
tcp dport 110 accept
tcp dport 995 accept
# imap/imaps
tcp dport 143 accept
tcp dport 993 accept
# count and drop any other traffic
counter drop
}
chain output {
type filter hook output priority 0;
policy accept;
}
chain forward {
type filter hook forward priority 0;
policy drop;
}
}
En el caso de querer abrir otro puerto pondríamos en cualquiera de las líneas a partir de la 37 para tcp
tcp dport puerto-a-abrir accept
Para UDP
udp dport puerto-a-abrir accept
En el caso de querer abrir el puerto solo a determinadas IP
tcp dport {puerto-a-abrir} ip saddr @management_ips_ipv4 accept
Referencia de nftables. https://www.netfilter.org/projects/nftables/manpage.html