Firewall - nftables

BasicBasics

Using nftables as the successor to iptables makes life much more convenient. So I switched to nftables at my projects.

For debian (bookworm) it's necessary to enable the nftables service:

systemctl enable nftables.service

Default configuration file for nftables is located at: /etc/nftables.conf. I don't want to make big modifications at preinstalled files, so I just add an include statement for customized rules:

include "/etc/custom/nftables.rules" 

Here are some basic commands for nftables

List loaded ruleset

nft list ruleset

List sets 
The following command lists the set WHITELIST of table CUSTOM

nft list set inet CUSTOM WHITELIST

Basic

ruleset for a server providing http/https services

#!/usr/sbin/nft -f

table inet CUSTOM {
    # empty set WHITELIST - will be filled dynamically by scripts
	set WHITELIST {
		type ipv4_addr
	}
	chain INPUT {
		type filter hook input priority 0; policy drop;

		# allow established/related connections
		ct state {established, related} accept

		# early drop of invalid connections
		ct state invalid drop

		# allow from loopback
		iifname lo accept

		# allow icmp (ipv4) - only from IP set WHITELIST
		ip protocol icmp ip saddr @WHITELIST accept

        # allow only ssh connections from IP set WHITELIST
		tcp dport {22} ip saddr @WHITELIST accept

		# allow web services
		tcp dport {80, 443} accept

		# allow internal container interface
		iifname "lxcbr0" ip daddr 10.0.3.1 accept

		# everything else drop
		drop
	}

	chain OUTPUT {
		type filter hook output priority 0; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 0; policy drop;
		oifname "lxcbr0" accept
        iifname "lxcbr0" accept
	}
}