Nftables : Enable Service2022/06/29 |
|
This is the Basic Operation of Nftables.
|
|
| [1] | On RHEL 9 / CentOS Stream 9, nftables is used as the default Firewalld backend. |
|
[root@dlp ~]# grep nftables /etc/firewalld/firewalld.conf # - nftables (default) FirewallBackend=nftables |
| [2] | If you use nftables directly, disable firewalld service to avoid that the different firewall services influence each other. Furthermore, enable nftables.service that restores filtering ruleset when system restarts. |
|
[root@dlp ~]# systemctl disable --now firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.[root@dlp ~]# systemctl enable --now nftables Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service. # [nftables.service] restores ruleset from [/etc/sysconfig/nftables.conf] [root@dlp ~]# systemctl cat nftables.service # /usr/lib/systemd/system/nftables.service [Unit] Description=Netfilter Tables Documentation=man:nft(8) Wants=network-pre.target Before=network-pre.target [Service] Type=oneshot ProtectSystem=full ProtectHome=true ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' ExecStop=/sbin/nft flush ruleset RemainAfterExit=yes [Install] WantedBy=multi-user.target # [/etc/sysconfig/nftables.conf] has no setting by default [root@dlp ~]# cat /etc/sysconfig/nftables.conf # Uncomment the include statement here to load the default config sample # in /etc/nftables for nftables service. #include "/etc/nftables/main.nft" # To customize, either edit the samples in /etc/nftables, append further # commands to the end of this file or overwrite it after first service # start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'. |
| [3] | If you switch to nftables service with using the ruleset configured on Firewalld, configure like follows. |
|
# confirm Firewalld rules ( based on that firewalld is running ) [root@dlp ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: # confirm current ruleset of nftables as the Firewalld backend [root@dlp ~]# nft list ruleset
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "enp1s0" goto mangle_PRE_public
goto mangle_PRE_public
}
chain mangle_PREROUTING_POLICIES_post {
}
.....
.....
# output the current ruleset to [/etc/sysconfig/nftables.conf] [root@dlp ~]# nft list ruleset > /etc/sysconfig/nftables.conf
# disable firewalld service & enable nftables service [root@dlp ~]# systemctl disable --now firewalld [root@dlp ~]# systemctl enable --now nftables
# confirm ruleset [root@dlp ~]# nft list ruleset
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
.....
.....
# for example, it's possible to show settings of allowed services [services: cockpit dhcpv6-client ssh] on [firewalld] like follows [root@dlp ~]# nft list chain inet firewalld filter_IN_public_allow
table inet firewalld {
chain filter_IN_public_allow {
tcp dport 22 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 9090 ct state { new, untracked } accept
}
}
|
| Sponsored Link |
|
|