Nftables: Difference between revisions

From Alpine Linux
(changed to Category:Firewall)
(updated page based on https://gitlab.alpinelinux.org/alpine/aports/-/issues/16177)
Line 1: Line 1:
{{DISPLAYTITLE:nftables}}The {{Pkg|nftables}} package provides user-space tools to control the Linux nftables subsystem.
{{DISPLAYTITLE:nftables}}The netfilter.org [https://netfilter.org/projects/nftables nftables] project provides user-space tools to control the Linux nftables subsystem.


A service that loads the rules from {{path|/etc/nftables.d}} can be enabled with:
== Installation ==


rc-update add nftables boot
To use {{Pkg|nftables}} package, install it first:{{Cmd|# apk add {{Pkg|nftables}}}}
rc-service nftables start


The default rules shipped will block all incoming connections.
== Configuration ==


= Packaged Rules =
The default <code>nftable</code> rules shipped will block all incoming connections. A service that loads the rules from {{path|/etc/nftables.d}} folder can be enabled with: {{Cmd|<nowiki># rc-update add nftables boot
# rc-service nftables start</nowiki>}}


{{Note|This section describes a feature that are still being implemented and subject to change}}
== Packaged rules ==


Many packages with server software are accompanied by an <code>-nftables</code> package which include the typical default rules to expose the server.
{{Issue|16177|This section describes a feature that are still being implemented and subject to change}}


For example, <code>openssh-nftables</code> will open the default port used by <code>openssh</code> (i.e.: TCP port 22).
Server software packages that are accompanied by an <code>-nftables</code> package includes the typical default rules to expose the server. For example, {{pkg|kdeconnect-nftables}} package will open the default port(s) used by <code>kdeconnect</code>. These rules are active upon package installation.


To enable these rules, they must be symlinked in <code>nftable</code>'s configuration directory. E.g.:
If {{ic|nftables}} rules are in {{Path|/usr/share/nftables.avail}} folder, they must be symlinked to {{path|/etc/nftables.d}} folder to enable them. For e.g if there is a rule {{Path|/usr/share/nftables.avail/sshd.nft}}, issue the below command:{{Cmd|# ln -s /usr/share/nftables.avail/sshd.nft /etc/nftables.d/sshd.nft}}


<pre>
== See also ==
ln -s /usr/share/nftables.avail/sshd.nft /etc/nftables.d/sshd.nft
</pre>
 
= See also =


* [https://wiki.archlinux.org/title/Nftables nftables - ArchWiki]
* [https://wiki.archlinux.org/title/Nftables nftables - ArchWiki]
* [https://netfilter.org/projects/nftables/ nftables project homepage]
* [https://netfilter.org/projects/nftables/ nftables project homepage]
* [[Uncomplicated Firewall]]: Firewall program with higher level abstractions.
* [[Uncomplicated Firewall]] Firewall program with higher level abstractions


[[Category:Firewall]]
[[Category:Firewall]]

Revision as of 06:03, 5 August 2025

The netfilter.org nftables project provides user-space tools to control the Linux nftables subsystem.

Installation

To use nftables package, install it first:

# apk add nftables

Configuration

The default nftable rules shipped will block all incoming connections. A service that loads the rules from /etc/nftables.d folder can be enabled with:

# rc-update add nftables boot # rc-service nftables start

Packaged rules

#16177. This section describes a feature that are still being implemented and subject to change

Server software packages that are accompanied by an -nftables package includes the typical default rules to expose the server. For example, kdeconnect-nftables package will open the default port(s) used by kdeconnect. These rules are active upon package installation.

If nftables rules are in /usr/share/nftables.avail folder, they must be symlinked to /etc/nftables.d folder to enable them. For e.g if there is a rule /usr/share/nftables.avail/sshd.nft, issue the below command:

# ln -s /usr/share/nftables.avail/sshd.nft /etc/nftables.d/sshd.nft

See also

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Nftables&oldid=30644"