This is general nftables for apache, ssh, dns ntp
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
# Set for common inbound web server ports
set web_ports {
type inet_service;
flags interval;
elements = { 80, 443 }
}
# Set for other essential services, like SSH, DNS, and NTP
set services {
type inet_service;
elements = { 22, 53, 123 }
}
chain input {
type filter hook input priority 0; policy drop;
# Allow connections that are part of an existing or related session
ct state established,related accept
# Drop invalid packets
ct state invalid drop
# Allow traffic from the loopback interface
iif "lo" accept
# Allow incoming traffic for common web services
tcp dport @web_ports accept
# Allow incoming SSH, DNS, and NTP traffic
tcp dport @services accept
udp dport @services accept
# Allow incoming ICMP (ping) packets for diagnostics
icmp type echo-request accept
# Log and drop any other incoming traffic
meta protocol vmap { ip : log prefix "[NFT-DROP]: ", ip6 : log prefix "[NFT-DROP]: " }
meta protocol vmap { ip : drop, ip6 : drop }
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
This is nftable for general router
- eth0 to internet/router
- eth1 to lan
Edit/create nano /etc/sysctl.conf
net.ipv4.ip_forward=1
nftables rules
#!/usr/sbin/nft -f
# Clear all existing rules
flush ruleset
# --- Define variables for interfaces and networks ---
define wan_if = eth0
define lan_if = eth1
define lan_net = 192.168.1.0/24
# === Table for IPv4/IPv6 filtering ===
table inet filter {
# Set for essential services (SSH, DNS, NTP)
set essential_services {
type inet_service;
elements = { 22, 53, 123 }
}
# Set for web server ports
set web_ports {
type inet_service;
flags interval;
elements = { 80, 443 }
}
# Set of trusted interfaces (LAN)
set trusted_interfaces {
type ifname;
elements = { $lan_if }
}
# Set of untrusted interfaces (WAN)
set untrusted_interfaces {
type ifname;
elements = { $wan_if }
}
# --- INPUT chain: Controls traffic destined for the router itself ---
chain input {
type filter hook input priority 0; policy drop;
# Accept packets that are part of an established or related connection
ct state established,related accept
# Drop any packets with an invalid connection state
ct state invalid drop
# Allow traffic from the loopback interface
iif "lo" accept
# Allow all traffic from the trusted LAN interfaces
iifname @trusted_interfaces accept
# Allow incoming SSH, DNS, and NTP from the internet (rate limited)
iifname @untrusted_interfaces tcp dport @essential_services limit rate 10/minute accept
iifname @untrusted_interfaces udp dport @essential_services limit rate 10/minute accept
# Allow incoming web traffic (Apache) from the internet
iifname @untrusted_interfaces tcp dport @web_ports accept
# Allow ICMP (ping) from the internet, but rate-limit it
iifname @untrusted_interfaces icmp type echo-request limit rate 5/second accept
# Log and drop everything else coming from untrusted interfaces
iifname @untrusted_interfaces log prefix "NFT-INET-DROP: "
iifname @untrusted_interfaces drop
# Catch-all log and drop for other incoming traffic
log prefix "NFT-INPUT-DROP: "
drop
}
# --- FORWARD chain: Controls traffic passing *through* the router ---
chain forward {
type filter hook forward priority 0; policy drop;
# Accept packets that are part of an established or related connection
ct state established,related accept
# Drop invalid packets
ct state invalid drop
# Allow outbound traffic from the LAN to the internet
iifname @trusted_interfaces oifname @untrusted_interfaces accept
# Log and drop any other forwarded traffic
log prefix "NFT-FORWARD-DROP: "
drop
}
# --- OUTPUT chain: Controls traffic originating from the server ---
chain output {
type filter hook output priority 0; policy accept;
}
}
# === NAT table for IPv4 (needed for internet access from LAN) ===
table ip nat {
# --- PREROUTING chain: Used for incoming traffic before routing ---
chain prerouting {
type nat hook prerouting priority 0;
# Example: Port forward incoming web traffic from the internet to a specific LAN machine
# iifname $wan_if tcp dport { 80, 443 } dnat to 192.168.1.100
}
# --- POSTROUTING chain: Used for outgoing traffic after routing ---
chain postrouting {
type nat hook postrouting priority 100;
# Masquerade traffic leaving the internet interface
oifname $wan_if masquerade
}
}