Tuesday, October 7, 2025

Debian 13: general nftables with set for web server and router

This is general nftables for apache, ssh, dns ntp 

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

    # Set for common inbound web server ports

    set web_ports {

        type inet_service;

        flags interval;

        elements = { 80, 443 }

    }

    # Set for other essential services, like SSH, DNS, and NTP

    set services {

        type inet_service;

        elements = { 22, 53, 123 }

    }

    chain input {

        type filter hook input priority 0; policy drop;

        # Allow connections that are part of an existing or related session

        ct state established,related accept

        # Drop invalid packets

        ct state invalid drop

        # Allow traffic from the loopback interface

        iif "lo" accept

        # Allow incoming traffic for common web services

        tcp dport @web_ports accept

        # Allow incoming SSH, DNS, and NTP traffic

        tcp dport @services accept

        udp dport @services accept

        # Allow incoming ICMP (ping) packets for diagnostics

        icmp type echo-request accept

        # Log and drop any other incoming traffic

        meta protocol vmap { ip : log prefix "[NFT-DROP]: ", ip6 : log prefix "[NFT-DROP]: " }

        meta protocol vmap { ip : drop, ip6 : drop }

    }

    chain forward {

        type filter hook forward priority 0; policy drop;

    }

    chain output {

        type filter hook output priority 0; policy accept;

    }

}

This is nftable for general router

  • eth0 to internet/router
  • eth1 to lan 

Edit/create nano /etc/sysctl.conf

net.ipv4.ip_forward=1

nftables rules

#!/usr/sbin/nft -f

# Clear all existing rules

flush ruleset

# --- Define variables for interfaces and networks ---

define wan_if = eth0

define lan_if = eth1

define lan_net = 192.168.1.0/24

# === Table for IPv4/IPv6 filtering ===

table inet filter {

    # Set for essential services (SSH, DNS, NTP)

    set essential_services {

        type inet_service;

        elements = { 22, 53, 123 }

    }

    # Set for web server ports

    set web_ports {

        type inet_service;

        flags interval;

        elements = { 80, 443 }

    }

    # Set of trusted interfaces (LAN)

    set trusted_interfaces {

        type ifname;

        elements = { $lan_if }

    }

    # Set of untrusted interfaces (WAN)

    set untrusted_interfaces {

        type ifname;

        elements = { $wan_if }

    }

    # --- INPUT chain: Controls traffic destined for the router itself ---

    chain input {

        type filter hook input priority 0; policy drop;

        # Accept packets that are part of an established or related connection

        ct state established,related accept

        # Drop any packets with an invalid connection state

        ct state invalid drop

        # Allow traffic from the loopback interface

        iif "lo" accept

        # Allow all traffic from the trusted LAN interfaces

        iifname @trusted_interfaces accept

        # Allow incoming SSH, DNS, and NTP from the internet (rate limited)

        iifname @untrusted_interfaces tcp dport @essential_services limit rate 10/minute accept

        iifname @untrusted_interfaces udp dport @essential_services limit rate 10/minute accept

        # Allow incoming web traffic (Apache) from the internet

        iifname @untrusted_interfaces tcp dport @web_ports accept

        # Allow ICMP (ping) from the internet, but rate-limit it

        iifname @untrusted_interfaces icmp type echo-request limit rate 5/second accept

        # Log and drop everything else coming from untrusted interfaces

        iifname @untrusted_interfaces log prefix "NFT-INET-DROP: "

        iifname @untrusted_interfaces drop

        # Catch-all log and drop for other incoming traffic

        log prefix "NFT-INPUT-DROP: "

        drop

    }

    # --- FORWARD chain: Controls traffic passing *through* the router ---

    chain forward {

        type filter hook forward priority 0; policy drop;

        # Accept packets that are part of an established or related connection

        ct state established,related accept

        # Drop invalid packets

        ct state invalid drop

        # Allow outbound traffic from the LAN to the internet

        iifname @trusted_interfaces oifname @untrusted_interfaces accept

        # Log and drop any other forwarded traffic

        log prefix "NFT-FORWARD-DROP: "

        drop

    }

    # --- OUTPUT chain: Controls traffic originating from the server ---

    chain output {

        type filter hook output priority 0; policy accept;

    }

}

# === NAT table for IPv4 (needed for internet access from LAN) ===

table ip nat {

    # --- PREROUTING chain: Used for incoming traffic before routing ---

    chain prerouting {

        type nat hook prerouting priority 0;

        # Example: Port forward incoming web traffic from the internet to a specific LAN machine

        # iifname $wan_if tcp dport { 80, 443 } dnat to 192.168.1.100

    }

    # --- POSTROUTING chain: Used for outgoing traffic after routing ---

    chain postrouting {

        type nat hook postrouting priority 100;

        # Masquerade traffic leaving the internet interface

        oifname $wan_if masquerade

    }

}