chore(kb): start iptables and nftables articles

knowledge base/iptables.md

@@ -0,0 +1,107 @@
+# Iptables
+
+> [!warning]
+> It should be replaced with its successor, [`nftables`][nftables].
+
+Command line utility for configuring the Linux kernel-level firewall implemented within the netfilter project.
+
+Inspects, modifies, forwards, redirects, and/or drops IP packets based on _rules_.
+
+1. [TL;DR](#tldr)
+1. [Further readings](#further-readings)
+   1. [Sources](#sources)
+
+## TL;DR
+
+Use `iptables` for IPv4 and `ip6tables` for IPv6.<br/>
+They have the same syntax, but some options are specific to either IPv4 or IPv6.
+
+Rules are generally split up in three sections (A.K.A. _chains_):
+
+- _INPUT_ manages all packets destined for the local host.
+- _FORWARD_ manages all packets that are passing through.<br/>
+  This chain is usually given rules when the local host is used as a router.
+- _OUTPUT_ manages all packets originating from the local host.
+
+Rules are applied to a packed, depending on the packet's direction and _**in the order the rules are specified**_.<br/>
+Should no specific rule apply, the packet is applied the default policy for the chain.
+
+Chains must be referenced using their **uppercase** name.
+
+Each chain has its own default policy, and it can either be `ACCEPT` or `DROP`.<br/>
+Rules can then be implemented to configure exceptions to the default policy.<br/>
+Rules can either be _appended_ (`-A`) to the bottom a chain or _inserted_ (`-I`). When no rule is specified during
+insertion, that rule is inserted on the top of the chain.
+
+<!-- Uncomment if used
+<details>
+  <summary>Setup</summary>
+
+```sh
+```
+
+</details>
+-->
+
+<details>
+  <summary>Usage</summary>
+
+```sh
+# List current rules.
+iptables -L
+iptables -L --line-numbers
+
+# Add rules.
+iptables -I 'INPUT' -p 'tcp' --dport '443' -j 'ACCEPT'
+iptables -I 'INPUT' -p 'tcp' -s '192.168.100.100' --dport 22 -j 'ACCEPT'
+iptables -I 'INPUT' -p 'tcp' -s '!192.168.100.0/24' --dport 22 -j 'REJECT'
+
+# Change default policies to 'DROP'.
+iptables -P 'FORWARD' 'DROP'
+
+# Delete specific rules.
+iptables -D 'INPUT' 2
+
+# Delete *all* rules.
+iptables -F
+
+# Backup and restore rules.
+iptables-save -f '/etc/iptables/rules.v4'
+iptables-restore '/etc/iptables/rules.v4'
+```
+
+</details>
+
+<!-- Uncomment if used
+<details>
+  <summary>Real world use cases</summary>
+
+```sh
+```
+
+</details>
+-->
+
+## Further readings
+
+- [`nftables`][nftables]
+
+### Sources
+
+- [Iptables basics]
+- [Archlinux wiki]
+
+<!--
+  Reference
+  ═╬═Time══
+  -->
+
+<!-- In-article sections -->
+<!-- Knowledge base -->
+[nftables]: nftables.md
+
+<!-- Files -->
+<!-- Upstream -->
+<!-- Others -->
+[Iptables basics]: https://www.worldstream.com/nl/article/iptables-basics/
+[Archlinux wiki]: https://wiki.archlinux.org/title/Iptables

knowledge base/nftables.md

@@ -0,0 +1,109 @@
+# nftables
+
+Successor to [iptables].<br/>
+Replaces the existing `iptables`, `ip6tables`, `arptables`, and `ebtables` framework.
+
+Leverages the Linux kernel, and the newer `nft` userspace command line utility.<br/>
+Provides a compatibility layer for the `iptables` framework.
+
+1. [TL;DR](#tldr)
+1. [Further readings](#further-readings)
+   1. [Sources](#sources)
+
+## TL;DR
+
+Built on _rules_ which specify _actions_.<br/>
+Rules are attached to _chains_.<br/>
+Chains can contain a collection of rules, are stored inside _tables_, and are registered in netfilter's hooks.<br/>
+Tables are specific for one of the layer 3 protocols.
+
+Differently from [iptables], there are no predefined tables or chains.
+
+`nft` supports replacing atomic rules by using `nft -f`.<br/>
+This allows to conveniently manage rules using files.
+
+> [!warning]
+> When loading rules with `nft -f`, failures will result in none of the file's rules being loaded.<br/>
+> Calling `nft` repeatedly (in a shell script or similar) will fail on specific rules.
+
+<!-- Uncomment if used
+<details>
+  <summary>Setup</summary>
+
+```sh
+```
+
+</details>
+-->
+
+<details>
+  <summary>Usage</summary>
+
+```sh
+# List tables.
+nft list tables
+nft list tables inet
+
+# Add tables for the IPv4 and IPv6 layers.
+nft add table inet 'net_table'
+
+# Add tables for the ARP layer.
+nft add table arp 'arp_table'
+
+# Add a base chain called 'input_filter' to the inet 'base_table' table.
+# Register it to the 'input' hook with priority 0 and type 'filter'.
+nft add chain inet 'base_table' 'input_filter' "{type filter hook input priority 0;}"
+
+# List all rules.
+nft -a list ruleset
+
+# List rules in chains.
+nft list chain inet 'base_table' 'input_filter'
+
+# Add rules to chains.
+nft add rule inet 'base_table' 'input_filter' tcp dport 80 drop
+
+# Delete rules.
+nft delete rule inet 'base_table' 'input_filter' handle 3
+
+# Delete chains.
+# Chains can *only* be deleted if they contain no rules *and* they are not used as jump targets.
+nft delete chain inet base_table input_filter
+
+# Delete tables.
+nft delete table inet 'net_table'
+```
+
+</details>
+
+<!-- Uncomment if used
+<details>
+  <summary>Real world use cases</summary>
+
+```sh
+```
+
+</details>
+-->
+
+## Further readings
+
+- [`iptables`][iptables]
+
+### Sources
+
+- [Gentoo wiki]
+
+<!--
+  Reference
+  ═╬═Time══
+  -->
+
+<!-- In-article sections -->
+<!-- Knowledge base -->
+[iptables]: iptables.md
+
+<!-- Files -->
+<!-- Upstream -->
+<!-- Others -->
+[Gentoo wiki]: https://wiki.gentoo.org/wiki/Nftables