Iptables replacement with nicer configuration
There is a systemd service nftables.service that will load /etc/nftables.conf file on startup.
nftables rule loading is atomic so if there are syntax errors then service reload will fail and old rules are kept (NB: this only works when rulefile starts with flush ruleset)
systemctl reload nftables
Port numbers can be replaced with nice names from /etc/services file
#!/usr/sbin/nft -f
# Docs: https://wiki.wut.ee/sysadmin/nftables
flush ruleset
# ipv4/ipv6 combo filters
table inet filter {
# Traffic to host
chain input {
type filter hook input priority 0
# Do this when no rule matches
policy drop
#policy accept
# accept any localhost traffic
iifname "lo" accept
# Allow only trafic that is understood by contrack framework
ct state invalid counter drop
# Allow established connections to work and allow related icmp packets
ct state established,related accept
# Ping and other icmp packets are always okay
# http://shouldiblockicmp.com/
ip protocol icmp counter accept
ip6 nexthdr icmpv6 counter accept
# TODO icmp rate limit
# Allow those services to the host
# dnsmasq authoritative dns server is on public port 53
# 60000-60010 mosh
# 51820 wireguard
tcp dport {ssh, 53, http, https} accept
udp dport {53, dhcpv6-client, 60000-60010, 51820} accept
# Everything from internal lan is also okay
# iifname "ens4" accept
}
# traffic from host
chain output {
type filter hook output priority 0
# Do this when no rule matches
policy accept
}
# traffic we route between networks (aka Router)
chain forward {
type filter hook forward priority 0
# Do this when no rule matches
policy drop
#policy accept
# http://shouldiblockicmp.com/
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
}
}
# ipv4 only
# https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
# https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook
#table ip nat {
# chain prerouting {
# type nat hook prerouting priority -100
#
# policy drop
#
# # http container
# #ip daddr 193.40.103.195 tcp dport {http, https} counter dnat to 192.19.18.10
# }
#
# chain postrouting {
# type nat hook postrouting priority 100
#
# policy drop
#
# # nat packets that come from br-int subnet
# #ip saddr 192.19.18.0/24 masquerade
# }
#}
# Include other files
include "/etc/nftables.d/*.conf"
# Policy drop counters must be last in the chains for the count to be accurate
table inet filter {
chain input {
# Count non matching packets
counter comment "Droped incoming packets"
# when you are troubleshooting uncomment the next line.
#log prefix "Incoming packet dropped: "
}
chain forward {
# Count non matching packets
counter comment "Packets not forwarded"
# when you are troubleshooting uncomment the next line.
#log prefix "Forward packet dropped: "
}
}
You can list counters via
nft list ruleset
you can also watch those counters
sudo watch nft list ruleset
If you add log statement to a rule then matched packets will be sent to syslog/journal and can be viewed
journalctl -fan100
Might work, not recommended.
Just put Docker in a private network namespace so that it does not mess with host networking
https://wiki.archlinux.org/title/Nftables#Working_with_Docker