fabiojmendes · September 6, 2024 14:02
diff --git a/main.nft b/main.nft
 # This config is based on the original nftables
 # config that ships with fedora/rocky/rhel
 # Added podman_allowed so it works with podman

 # Sample configuration for nftables service.
 # Load this by calling 'nft -f /etc/nftables/main.nft'.

 # Note about base chain priorities:
 # The priority values used in these sample configs are
 # offset by 20 in order to avoid ambiguity when firewalld
 # is also running which uses an offset of 10. This means
 # that packets will traverse firewalld first and if not
 # dropped/rejected there will hit the chains defined here.
 # Chains created by iptables, ebtables and arptables tools
 # do not use an offset, so those chains are traversed first
 # in any case.

 # drop any existing nftables ruleset
 destroy table inet nftables_svc

 # a common table for both IPv4 and IPv6
 table inet nftables_svc {

  # protocols to allow
  set allowed_protocols {
    type inet_proto
    elements = { icmp, icmpv6 }
  }

  # interfaces to accept any traffic on
  set allowed_interfaces {
    type ifname
    flags interval
    elements = { "lo" }
  }

  # podman interfaces to accept traffic on
  set podman_interfaces {
    type ifname
    flags interval
    elements = { "podman*" }
  }

  # services to allow
  set allowed_tcp_dports {
    type inet_service
    elements = { ssh, http }
  }

  chain allow_podman {
    udp dport 53 counter accept
  }

  # this chain gathers all accept conditions
  chain allow {
    ct state established,related accept

    meta l4proto @allowed_protocols accept
    iifname @allowed_interfaces accept
    iifname @podman_interfaces jump allow_podman
    tcp dport @allowed_tcp_dports counter accept
  }

  # base-chain for traffic to this host
  chain INPUT {
    type filter hook input priority filter + 20
    policy accept

    jump allow
    counter reject with icmpx type port-unreachable
  }
 }

 # By default, any forwarding traffic is allowed.
 # Uncomment the following line to filter it based
 # on the same criteria as input traffic.
 include "/etc/nftables/router.nft"

 # Uncomment the following line to enable masquerading of
 # forwarded traffic. May be used with or without router.nft.
 #include "/etc/nftables/nat.nft"
diff --git a/nftables.service b/nftables.service
 [Unit]
 Description=Netfilter Tables
 Documentation=man:nft(8)
 Wants=network-pre.target
 Before=network-pre.target

 [Service]
 Type=oneshot
 ProtectSystem=full
 ProtectHome=true
 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
 ExecReload=/sbin/nft -f /etc/sysconfig/nftables.conf
 ExecStop=/sbin/nft flush ruleset
 RemainAfterExit=yes

 [Install]
 WantedBy=multi-user.target
	# This config is based on the original nftables
	# config that ships with fedora/rocky/rhel
	# Added podman_allowed so it works with podman

	# Sample configuration for nftables service.
	# Load this by calling 'nft -f /etc/nftables/main.nft'.

	# Note about base chain priorities:
	# The priority values used in these sample configs are
	# offset by 20 in order to avoid ambiguity when firewalld
	# is also running which uses an offset of 10. This means
	# that packets will traverse firewalld first and if not
	# dropped/rejected there will hit the chains defined here.
	# Chains created by iptables, ebtables and arptables tools
	# do not use an offset, so those chains are traversed first
	# in any case.

	# drop any existing nftables ruleset
	destroy table inet nftables_svc

	# a common table for both IPv4 and IPv6
	table inet nftables_svc {

	# protocols to allow
	set allowed_protocols {
	type inet_proto
	elements = { icmp, icmpv6 }
	}

	# interfaces to accept any traffic on
	set allowed_interfaces {
	type ifname
	flags interval
	elements = { "lo" }
	}

	# podman interfaces to accept traffic on
	set podman_interfaces {
	type ifname
	flags interval
	elements = { "podman*" }
	}

	# services to allow
	set allowed_tcp_dports {
	type inet_service
	elements = { ssh, http }
	}

	chain allow_podman {
	udp dport 53 counter accept
	}

	# this chain gathers all accept conditions
	chain allow {
	ct state established,related accept

	meta l4proto @allowed_protocols accept
	iifname @allowed_interfaces accept
	iifname @podman_interfaces jump allow_podman
	tcp dport @allowed_tcp_dports counter accept
	}

	# base-chain for traffic to this host
	chain INPUT {
	type filter hook input priority filter + 20
	policy accept

	jump allow
	counter reject with icmpx type port-unreachable
	}
	}

	# By default, any forwarding traffic is allowed.
	# Uncomment the following line to filter it based
	# on the same criteria as input traffic.
	include "/etc/nftables/router.nft"

	# Uncomment the following line to enable masquerading of
	# forwarded traffic. May be used with or without router.nft.
	#include "/etc/nftables/nat.nft"
	[Unit]
	Description=Netfilter Tables
	Documentation=man:nft(8)
	Wants=network-pre.target
	Before=network-pre.target

	[Service]
	Type=oneshot
	ProtectSystem=full
	ProtectHome=true
	ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
	ExecReload=/sbin/nft -f /etc/sysconfig/nftables.conf
	ExecStop=/sbin/nft flush ruleset
	RemainAfterExit=yes

	[Install]
	WantedBy=multi-user.target