Nftables: Difference between revisions

From Alpine Linux
(slight reordering to make things easier to follow)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
{{DISPLAYTITLE:nftables}}The netfilter.org [https://netfilter.org/projects/nftables nftables] project provides user-space tools to control the Linux nftables subsystem.
{{DISPLAYTITLE:nftables}}The [https://netfilter.org/projects/nftables nftables] project provides user-space tools to control the Linux nftables subsystem.


== Installation ==
== Installation ==
Line 14: Line 14:
== Packaged rules ==
== Packaged rules ==


{{Issue|16177|This section describes a feature that are still being implemented and subject to change}}
Server software packages that are accompanied by an <code>-nftrules</code> package includes the typical default rules to expose the server. For example, {{pkg|openssh-nftrules}} package will open the default port(s) used by {{pkg|openssh}}. These rules are not active upon package installation. They are installed in the <code>/usr/share/nftables.avail/</code> directory. The user can either symlink them individually to <code>/etc/nftables.d/</code>, or add this configuration line <code>include "/usr/share/nftables.avail/*.nft"</code> to <code>/etc/nftables.nft</code>.
 
Server software packages that are accompanied by an <code>-nftables</code> package includes the typical default rules to expose the server. For example, {{pkg|kdeconnect-nftables}} package will open the default port(s) used by {{pkg|kdeconnect}}. These rules are active upon package installation.


== See also ==
== See also ==

Latest revision as of 06:11, 20 August 2025

The nftables project provides user-space tools to control the Linux nftables subsystem.

Installation

To use nft command from nftables package, install it first:

# apk add nftables

Configuration

The default nftable rules shipped will block all incoming connections. A service that loads the rules from /etc/nftables.d folder can be enabled with:

# rc-update add nftables boot # rc-service nftables start

If nftables rules are in /usr/share/nftables.avail folder, they must be symlinked to /etc/nftables.d folder to enable them. For e.g if there is a rule /usr/share/nftables.avail/sshd.nft, issue the below command:

# ln -s /usr/share/nftables.avail/sshd.nft /etc/nftables.d/sshd.nft

Packaged rules

Server software packages that are accompanied by an -nftrules package includes the typical default rules to expose the server. For example, openssh-nftrules package will open the default port(s) used by openssh. These rules are not active upon package installation. They are installed in the /usr/share/nftables.avail/ directory. The user can either symlink them individually to /etc/nftables.d/, or add this configuration line include "/usr/share/nftables.avail/*.nft" to /etc/nftables.nft.

See also

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Nftables&oldid=30763"