How to install and configure NFTables on Ubuntu 20.04 - nomorespice/ubuntu20.04-howto GitHub Wiki
NFTables is the new packet classification framework that replaces the existing {ip,ip6,arp,eb}_tables infrastructure. This procedure will guide you through the installation and configuration.
This document assumes that:
- you installed the Ubuntu 20.04 Operating System
- you are performing these tasks as root
- you are performing these tasks in order, as some tasks require others to be completed first
apt install nftablesmkdir /script
/bin/cat <<\EOT >/script/fw.sh
#!/bin/bash
# fw.sh
# Firewall Configuration Script
#
# Command Variables
NFT=/usr/sbin/nft
#
# File/Directory Variables
NFTCONF=/etc/nftables.conf
#
# Flush all firewall chains
$NFT flush ruleset
#
$NFT add table inet filter
$NFT add chain inet filter INPUT { type filter hook input priority 0\; policy drop \; }
$NFT add chain inet filter FORWARD { type filter hook forward priority 0\; policy drop \; }
$NFT add chain inet filter OUTPUT { type filter hook output priority 0\; policy drop \; }
#
$NFT add rule inet filter INPUT ct state related,established accept
$NFT add rule inet filter INPUT ct state invalid drop
$NFT add rule inet filter INPUT iif lo accept
$NFT add rule inet filter INPUT iif lo ip6 saddr ::1 accept
$NFT add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit } ip6 hoplimit 255 accept
$NFT add rule inet filter INPUT meta l4proto ipv6-icmp ip6 saddr fe80::/10 accept
$NFT add rule inet filter INPUT fib daddr type { broadcast, multicast } drop
$NFT add rule inet filter INPUT ip6 daddr ff02::1 drop
$NFT add rule inet filter INPUT ip version 4 log prefix \"NFTABLE-IN \" level debug drop
$NFT add rule inet filter INPUT ip6 version 6 log prefix \"NF6TABLE-IN \" level debug drop
$NFT add rule inet filter INPUT counter drop
#
$NFT add rule inet filter OUTPUT oif lo accept
$NFT add rule inet filter OUTPUT oif lo ip6 saddr ::1 accept
$NFT add rule inet filter OUTPUT meta l4proto ipv6-icmp accept
$NFT add rule inet filter OUTPUT ct state invalid drop
$NFT add rule inet filter OUTPUT counter ct state new,related,established accept
#
#
# Have these rules take effect when server is started
$NFT list ruleset > $NFTCONF
#
exit
EOT
/bin/chmod 700 /script/fw.sh
systemctl --now enable nftables.service
/script/fw.sh/bin/touch /var/log/nftables
/bin/chmod 664 /var/log/nftables
/bin/chown syslog:adm /var/log/nftables
/bin/cat << EOT >/etc/rsyslog.d/10-nftables.conf
:msg, contains, "NFTABLE" -/var/log/nftables
& stop
:msg, contains, "NF6TABLE" -/var/log/nftables
& stop
EOT
systemctl restart rsyslog
/bin/sed -i "/messages/ a \/var\/log\/nftables" /etc/logrotate.d/rsyslog