Nftables: Difference between revisions

From Alpine Linux
(→‎Packaged rules: Added instructions for new nftables-rulesets package)
(1. Consolidated packaged rules passages (partly repetitive despite prior useful edits); 2. 'Packaged rules' section made subsection of Configuration, adding subheadings for downloading/enabling and reloading steps; 3. Added 'reload' passage, indicating that nftables is not a daemon so it will not appear under rc-status; 4. →‎See also: Added Tutorials and Howtos - Firewall; 5. Style/grammar amendments.)
 
Line 1: Line 1:
{{DISPLAYTITLE:nftables}}The [https://netfilter.org/projects/nftables nftables] project provides user-space tools to control the Linux nftables subsystem.
{{DISPLAYTITLE:nftables}}The [https://netfilter.org/projects/nftables nftables] project provides userspace tools to control the Linux nftables subsystem.


== Installation ==
== Installation ==


To use {{ic|nft}} command from {{Pkg|nftables}} package, install it first:{{Cmd|# apk add {{Pkg|nftables}}}}
To use the {{ic|nft}} command from the {{Pkg|nftables}} package, install it first:{{Cmd|# apk add {{Pkg|nftables}}}}


== Configuration ==
== Configuration ==


The default <code>nftable</code> rules shipped will block all incoming connections. A service that loads the rules from {{path|/etc/nftables.d}} folder can be enabled with: {{Cmd|<nowiki># rc-update add nftables boot
The default {{ic|nftables}}-shipped rules will block all incoming connections. The service that loads the rules from the {{Path|/etc/nftables.d}} folder can be enabled with: {{Cmd|# rc-service nftables start}}
# rc-service nftables start</nowiki>}}
Make it start on future sessions also:
{{Cmd|# rc-update add nftables boot}}
However, there may be further packaged rules shipped with additional installed packages.


If {{ic|nftables}} rules are in {{Path|/usr/share/nftables.avail}} folder, they must be symlinked to {{path|/etc/nftables.d}} folder to enable them. For e.g if there is a rule {{Path|/usr/share/nftables.avail/sshd.nft}}, issue the below command:{{Cmd|# ln -s /usr/share/nftables.avail/sshd.nft /etc/nftables.d/sshd.nft}}
=== Packaged rules ===


== Packaged rules ==
==== Downloading and enabling rules ====


Server software packages that are accompanied by an <code>-nftrules</code> package includes the typical default rules to expose the server. For example, {{pkg|openssh-nftrules}} package will open the default port(s) used by {{pkg|openssh}}. On Alpine Linux Edge and from v3.23 onwards, all <code>-nftrules</code> that are available for your current installation, as well as for any future package to be installed, can be downloaded by installing {{Pkg|nftables-rulesets}} on the main repo:
If there are {{ic|nftables}} rules elsewhere, in the {{Path|/usr/share/nftables.avail}} folder, then they must be enabled:  server software packages that are accompanied by an <code>-nftrules</code> package, for example, include the typical default rules to expose the server, but the rules are only downloaded and must then be enabled e.g. the {{pkg|openssh-nftrules}} package will only download rules to open the default port(s) used by {{pkg|openssh}}.  
{{Cmd|$ doas apk add nftables-rulesets}}


These rules are not active upon package installation. They are installed in the <code>/usr/share/nftables.avail/</code> directory. The user can either symlink them individually to <code>/etc/nftables.d/</code>, or add this configuration line <code>include "/usr/share/nftables.avail/*.nft"</code> to <code>/etc/nftables.nft</code>.
{{Tip|On Alpine Linux Edge and from v3.23 onwards, all <code>-nftrules</code> that are available for your current installation, as well as for any future package to be installed, can be ''downloaded'' by installing {{Pkg|nftables-rulesets}} from the main repo:
{{Cmd|# apk add nftables-rulesets}}
}}
These rules are '''''not''''' active upon package installation:  they are only downloaded into that {{Path|/usr/share/nftables.avail/}} directory. The user can then enable them, either by:
* symlinking them individually to {{Path|/etc/nftables.d/}}.  For example, if there is the rule {{Path|/usr/share/nftables.avail/sshd.nft}}, then issue the command below:{{Cmd|# ln -s /usr/share/nftables.avail/sshd.nft /etc/nftables.d/sshd.nft}}  or by
* adding the configuration line <code>include "/usr/share/nftables.avail/*.nft"</code> into {{Path|/etc/nftables.nft}}.
 
==== Reloading rules ====
 
The new ruleset can then be applied by simply ''reloading'' the service, or by rebooting.  Reloading preserves the connections (the connection-tracking ''"conntrack"'' state), so it is preferable to ''restarting'' the service:
{{Cmd|# rc-service nftables reload}}
or, alternatively, load the new ruleset with:
{{Cmd|# nft -f /etc/nftables.nft}}
The '''nftables''' service is an init script that, when started or reloaded, runs once to load the rules and then exits.  It is not a daemon, so it will not appear afterwards under {{ic|# rc-status}}.


== See also ==
== See also ==


* [https://wiki.nftables.org/wiki-nftables/index.php/Main_Page nftables project Wiki]
* [https://wiki.nftables.org/wiki-nftables/index.php/Main_Page nftables project Wiki]
* [https://wiki.archlinux.org/title/Nftables nftables - ArchWiki]
* [https://wiki.archlinux.org/title/Nftables ArchWiki - nftables]
* [[Uncomplicated Firewall]] Firewall program with higher level abstractions
* [[Uncomplicated Firewall]] - Firewall program with higher level abstractions
* [[Tutorials_and_Howtos#Firewall|Tutorials and Howtos - Firewall]]
 


[[Category:Firewall]]
[[Category:Firewall]]

Latest revision as of 01:37, 3 January 2026

The nftables project provides userspace tools to control the Linux nftables subsystem.

Installation

To use the nft command from the nftables package, install it first:

# apk add nftables

Configuration

The default nftables-shipped rules will block all incoming connections. The service that loads the rules from the /etc/nftables.d folder can be enabled with:

# rc-service nftables start

Make it start on future sessions also:

# rc-update add nftables boot

However, there may be further packaged rules shipped with additional installed packages.

Packaged rules

Downloading and enabling rules

If there are nftables rules elsewhere, in the /usr/share/nftables.avail folder, then they must be enabled: server software packages that are accompanied by an -nftrules package, for example, include the typical default rules to expose the server, but the rules are only downloaded and must then be enabled e.g. the openssh-nftrules package will only download rules to open the default port(s) used by openssh.

Tip: On Alpine Linux Edge and from v3.23 onwards, all -nftrules that are available for your current installation, as well as for any future package to be installed, can be downloaded by installing nftables-rulesets from the main repo:

# apk add nftables-rulesets

These rules are not active upon package installation: they are only downloaded into that /usr/share/nftables.avail/ directory. The user can then enable them, either by:

  • symlinking them individually to /etc/nftables.d/. For example, if there is the rule /usr/share/nftables.avail/sshd.nft, then issue the command below:

    # ln -s /usr/share/nftables.avail/sshd.nft /etc/nftables.d/sshd.nft

    or by
  • adding the configuration line include "/usr/share/nftables.avail/*.nft" into /etc/nftables.nft.

Reloading rules

The new ruleset can then be applied by simply reloading the service, or by rebooting. Reloading preserves the connections (the connection-tracking "conntrack" state), so it is preferable to restarting the service:

# rc-service nftables reload

or, alternatively, load the new ruleset with:

# nft -f /etc/nftables.nft

The nftables service is an init script that, when started or reloaded, runs once to load the rules and then exits. It is not a daemon, so it will not appear afterwards under # rc-status.

See also

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Nftables&oldid=31913"