https://github.com/k4yt3x/nftables
K4YT3X's template nftables script.
https://github.com/k4yt3x/nftables
firewall linux nft nftables security
Last synced: 8 months ago
JSON representation
K4YT3X's template nftables script.
- Host: GitHub
- URL: https://github.com/k4yt3x/nftables
- Owner: k4yt3x
- License: gpl-3.0
- Created: 2020-10-20T19:40:07.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2024-11-07T23:20:59.000Z (over 1 year ago)
- Last Synced: 2025-02-02T02:41:28.421Z (over 1 year ago)
- Topics: firewall, linux, nft, nftables, security
- Homepage: https://k4t.io/nft
- Size: 17.6 KB
- Stars: 10
- Watchers: 5
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# K4YT3X's Template nftables Script
This repository hosts my personal `nftables.conf` script. This file is intended to be used as a template for creating nftables profiles for hosts. The default settings in this script are suitable for endpoint devices (e.g., workstations). This configuration file is also compliant with [RFC4890](https://tools.ietf.org/html/rfc4890). Below is an abstract of what is allowed in the profile by default.
- **IPv4**
- Established/related segments accepted
- DHCP accepted
- ICMP necessary debugging types accepted
- **IPv6**
- Established/related segments accepted
- DHCPv6 accepted
- ICMPv6 types in [RFC4890](https://tools.ietf.org/html/rfc4890) accepted
**Please review the script file carefully before applying it.** You are responsible for actions done to your system.
## Applying Template Rules
You may run this script with the `nft` command to load the rules in this profile. You can also install this profile to the system, so the `nftables.service` will automatically load this profile upon service restart or reboot. If you would like to load this configuration once, simply run `nft -f nftables.conf` or `./nftables.conf`. If you would like to make the changes persist after a reboot, you will have to overwrite contents of the `nftables.conf` which the `nftables.service` reads rules from. The location of this file varies depending on your distribution. Below are some examples.
- CentOS/RHEL: `/etc/sysconfig/nftables.conf`
- Debian: `/etc/nftables.conf`
After editing the files, run the appropriate command to restart the nftables service to apply the rules (e.g., `systemctl restart nftables`). Once you finish loading the rules, you can verify the changes using the command `nft list ruleset`.
## Opening Ports
This script provides a convenient way of opening ports. In order to open ports, you only need to edit the `ACCEPT_TCP_PORTS` variable and the `ACCEPT_UDP_PORTS` variable. You will find these two variables at the beginning of the script.
```properties
# TCP ports to accept (both IPv4 and IPv6)
#define ACCEPT_TCP_PORTS = {}
# UDP ports to accept (both IPv4 and IPv6)
#define ACCEPT_UDP_PORTS = {}
```
To open a port, uncomment the corresponding line and add the comma-separated list of ports into the brackets at the end of the line. The example below opens TCP ports 22 and 80 and UDP port 53.
```properties
# TCP ports to accept (both IPv4 and IPv6)
define ACCEPT_TCP_PORTS = { 22, 80 }
# UDP ports to accept (both IPv4 and IPv6)
define ACCEPT_UDP_PORTS = { 53 }
```
Do not forget to reload `nftables.service` to apply the changes after finish editing the script file.
## Short URL for Downloading `nftables.conf`
For convenience, I have pointed the URL `https://kt.ax/nft` to the `nftables.conf` file. You may therefore download the `nftables.conf` file with the following command. However, be sure to check the file's integrity after downloading it if you choose to download using this method.
```shell
curl -L kt.ax/nft -o nftables.conf
```