Nftables: Difference between revisions
WhyNotHugo (talk | contribs) (Document -nftables packages) |
WhyNotHugo (talk | contribs) |
||
| (9 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
{{DISPLAYTITLE:nftables}}The | {{DISPLAYTITLE:nftables}}The [https://netfilter.org/projects/nftables nftables] project provides userspace tools to control the Linux nftables subsystem. | ||
== Installation == | |||
To use the {{ic|nft}} command from the {{Pkg|nftables}} package, install it first:{{Cmd|# apk add {{Pkg|nftables}}}} | |||
== Configuration == | |||
The default {{ic|nftables}}-shipped rules will block all incoming connections. The service that loads the rules from the {{Path|/etc/nftables.d}} folder can be enabled with: {{Cmd|# rc-service nftables start}} | |||
Make it start on future sessions also: | |||
{{Cmd|# rc-update add nftables boot}} | |||
However, there may be further packaged rules shipped with additional installed packages. | |||
=== Packaged rules === | |||
==== Downloading and enabling rules ==== | |||
If there are {{ic|nftables}} rules elsewhere, in the {{Path|/usr/share/nftables.avail}} folder, then they must be enabled: server software packages that are accompanied by an <code>-nftrules</code> package, for example, include the typical default rules to expose the server, but the rules are only downloaded and must then be enabled e.g. the {{pkg|openssh-nftrules}} package will only download rules to open the default port(s) used by {{pkg|openssh}}. | |||
{{Tip|On Alpine Linux Edge and from v3.23 onwards, all <code>-nftrules</code> that are available for your current installation, as well as for any future package to be installed, can be ''downloaded'' by installing {{Pkg|nftables-rulesets}} from the main repo: | |||
{{Cmd|# apk add nftables-rulesets}} | |||
}} | |||
These rules are '''''not''''' active upon package installation: they are only downloaded into that {{Path|/usr/share/nftables.avail/}} directory. The user can then enable them, either by: | |||
* symlinking them individually to {{Path|/etc/nftables.d/}}. For example, if there is the rule {{Path|/usr/share/nftables.avail/sshd.nft}}, then issue the command below:{{Cmd|# ln -s /usr/share/nftables.avail/sshd.nft /etc/nftables.d/sshd.nft}} or by | |||
* adding the configuration line <code>include "/usr/share/nftables.avail/*.nft"</code> into {{Path|/etc/nftables.nft}}. | |||
==== Reloading rules ==== | |||
The new ruleset can then be applied by simply ''reloading'' the service, or by rebooting. Reloading preserves the connections (the connection-tracking ''"conntrack"'' state), so it is preferable to ''restarting'' the service: | |||
{{Cmd|# rc-service nftables reload}} | |||
or, alternatively, load the new ruleset with: | |||
{{Cmd|# nft -f /etc/nftables.nft}} | |||
The '''nftables''' service is an init script that, when started or reloaded, runs once to load the rules and then exits. It is not a daemon, so it will not appear afterwards under {{ic|# rc-status}}. | |||
== See also == | |||
[[Category: | * [https://wiki.nftables.org/wiki-nftables/index.php/Main_Page nftables project Wiki] | ||
* [https://wiki.archlinux.org/title/Nftables ArchWiki - nftables] | |||
* [[Uncomplicated Firewall]] - Firewall program with higher level abstractions | |||
* [[Tutorials_and_Howtos#Firewall|Tutorials and Howtos - Firewall]] | |||
* [[Configure a Wireguard interface (wg)]] | |||
[[Category:Firewall]] | |||
Latest revision as of 00:21, 28 January 2026
The nftables project provides userspace tools to control the Linux nftables subsystem.
Installation
To use the nft command from the nftables package, install it first:
# apk add nftables
Configuration
The default nftables-shipped rules will block all incoming connections. The service that loads the rules from the /etc/nftables.d folder can be enabled with:
# rc-service nftables start
Make it start on future sessions also:
# rc-update add nftables boot
However, there may be further packaged rules shipped with additional installed packages.
Packaged rules
Downloading and enabling rules
If there are nftables rules elsewhere, in the /usr/share/nftables.avail folder, then they must be enabled: server software packages that are accompanied by an -nftrules package, for example, include the typical default rules to expose the server, but the rules are only downloaded and must then be enabled e.g. the openssh-nftrules package will only download rules to open the default port(s) used by openssh.
-nftrules that are available for your current installation, as well as for any future package to be installed, can be downloaded by installing nftables-rulesets from the main repo:
# apk add nftables-rulesets
These rules are not active upon package installation: they are only downloaded into that /usr/share/nftables.avail/ directory. The user can then enable them, either by:
- symlinking them individually to /etc/nftables.d/. For example, if there is the rule /usr/share/nftables.avail/sshd.nft, then issue the command below:
# ln -s /usr/share/nftables.avail/sshd.nft /etc/nftables.d/sshd.nft
or by - adding the configuration line
include "/usr/share/nftables.avail/*.nft"into /etc/nftables.nft.
Reloading rules
The new ruleset can then be applied by simply reloading the service, or by rebooting. Reloading preserves the connections (the connection-tracking "conntrack" state), so it is preferable to restarting the service:
# rc-service nftables reload
or, alternatively, load the new ruleset with:
# nft -f /etc/nftables.nft
The nftables service is an init script that, when started or reloaded, runs once to load the rules and then exits. It is not a daemon, so it will not appear afterwards under # rc-status.
See also
- nftables project Wiki
- ArchWiki - nftables
- Uncomplicated Firewall - Firewall program with higher level abstractions
- Tutorials and Howtos - Firewall
- Configure a Wireguard interface (wg)