nftables
The nftables project provides user-space tools to control the Linux nftables subsystem.
Installation
To use nft
command from nftables package, install it first:
# apk add nftables
Configuration
The default nftable
rules shipped will block all incoming connections. A service that loads the rules from /etc/nftables.d folder can be enabled with:
# rc-update add nftables boot # rc-service nftables start
If nftables
rules are in /usr/share/nftables.avail folder, they must be symlinked to /etc/nftables.d folder to enable them. For e.g if there is a rule /usr/share/nftables.avail/sshd.nft, issue the below command:
# ln -s /usr/share/nftables.avail/sshd.nft /etc/nftables.d/sshd.nft
Packaged rules
Server software packages that are accompanied by an -nftrules
package includes the typical default rules to expose the server. For example, openssh-nftrules package will open the default port(s) used by openssh. These rules are not active upon package installation. They are installed in the /usr/share/nftables.avail/
directory. The user can either symlink them individually to /etc/nftables.d/
, or add this configuration line include "/usr/share/nftables.avail/*.nft"
to /etc/nftables.nft
.
See also
- nftables project Wiki
- nftables - ArchWiki
- Uncomplicated Firewall Firewall program with higher level abstractions