From 4c06ffdd719a476e839488f82e39cbbc8c700e58 Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Tue, 23 Dec 2025 22:28:49 +0100 Subject: [PATCH] chore(kb): start iptables and nftables articles --- knowledge base/iptables.md | 107 ++++++++++++++++++++++++++++++++++++ knowledge base/nftables.md | 109 +++++++++++++++++++++++++++++++++++++ 2 files changed, 216 insertions(+) create mode 100644 knowledge base/iptables.md create mode 100644 knowledge base/nftables.md diff --git a/knowledge base/iptables.md b/knowledge base/iptables.md new file mode 100644 index 0000000..f525547 --- /dev/null +++ b/knowledge base/iptables.md @@ -0,0 +1,107 @@ +# Iptables + +> [!warning] +> It should be replaced with its successor, [`nftables`][nftables]. + +Command line utility for configuring the Linux kernel-level firewall implemented within the netfilter project. + +Inspects, modifies, forwards, redirects, and/or drops IP packets based on _rules_. + +1. [TL;DR](#tldr) +1. [Further readings](#further-readings) + 1. [Sources](#sources) + +## TL;DR + +Use `iptables` for IPv4 and `ip6tables` for IPv6.
+They have the same syntax, but some options are specific to either IPv4 or IPv6. + +Rules are generally split up in three sections (A.K.A. _chains_): + +- _INPUT_ manages all packets destined for the local host. +- _FORWARD_ manages all packets that are passing through.
+ This chain is usually given rules when the local host is used as a router. +- _OUTPUT_ manages all packets originating from the local host. + +Rules are applied to a packed, depending on the packet's direction and _**in the order the rules are specified**_.
+Should no specific rule apply, the packet is applied the default policy for the chain. + +Chains must be referenced using their **uppercase** name. + +Each chain has its own default policy, and it can either be `ACCEPT` or `DROP`.
+Rules can then be implemented to configure exceptions to the default policy.
+Rules can either be _appended_ (`-A`) to the bottom a chain or _inserted_ (`-I`). When no rule is specified during +insertion, that rule is inserted on the top of the chain. + + + +
+ Usage + +```sh +# List current rules. +iptables -L +iptables -L --line-numbers + +# Add rules. +iptables -I 'INPUT' -p 'tcp' --dport '443' -j 'ACCEPT' +iptables -I 'INPUT' -p 'tcp' -s '192.168.100.100' --dport 22 -j 'ACCEPT' +iptables -I 'INPUT' -p 'tcp' -s '!192.168.100.0/24' --dport 22 -j 'REJECT' + +# Change default policies to 'DROP'. +iptables -P 'FORWARD' 'DROP' + +# Delete specific rules. +iptables -D 'INPUT' 2 + +# Delete *all* rules. +iptables -F + +# Backup and restore rules. +iptables-save -f '/etc/iptables/rules.v4' +iptables-restore '/etc/iptables/rules.v4' +``` + +
+ + + +## Further readings + +- [`nftables`][nftables] + +### Sources + +- [Iptables basics] +- [Archlinux wiki] + + + + + +[nftables]: nftables.md + + + + +[Iptables basics]: https://www.worldstream.com/nl/article/iptables-basics/ +[Archlinux wiki]: https://wiki.archlinux.org/title/Iptables diff --git a/knowledge base/nftables.md b/knowledge base/nftables.md new file mode 100644 index 0000000..a455f8c --- /dev/null +++ b/knowledge base/nftables.md @@ -0,0 +1,109 @@ +# nftables + +Successor to [iptables].
+Replaces the existing `iptables`, `ip6tables`, `arptables`, and `ebtables` framework. + +Leverages the Linux kernel, and the newer `nft` userspace command line utility.
+Provides a compatibility layer for the `iptables` framework. + +1. [TL;DR](#tldr) +1. [Further readings](#further-readings) + 1. [Sources](#sources) + +## TL;DR + +Built on _rules_ which specify _actions_.
+Rules are attached to _chains_.
+Chains can contain a collection of rules, are stored inside _tables_, and are registered in netfilter's hooks.
+Tables are specific for one of the layer 3 protocols. + +Differently from [iptables], there are no predefined tables or chains. + +`nft` supports replacing atomic rules by using `nft -f`.
+This allows to conveniently manage rules using files. + +> [!warning] +> When loading rules with `nft -f`, failures will result in none of the file's rules being loaded.
+> Calling `nft` repeatedly (in a shell script or similar) will fail on specific rules. + + + +
+ Usage + +```sh +# List tables. +nft list tables +nft list tables inet + +# Add tables for the IPv4 and IPv6 layers. +nft add table inet 'net_table' + +# Add tables for the ARP layer. +nft add table arp 'arp_table' + +# Add a base chain called 'input_filter' to the inet 'base_table' table. +# Register it to the 'input' hook with priority 0 and type 'filter'. +nft add chain inet 'base_table' 'input_filter' "{type filter hook input priority 0;}" + +# List all rules. +nft -a list ruleset + +# List rules in chains. +nft list chain inet 'base_table' 'input_filter' + +# Add rules to chains. +nft add rule inet 'base_table' 'input_filter' tcp dport 80 drop + +# Delete rules. +nft delete rule inet 'base_table' 'input_filter' handle 3 + +# Delete chains. +# Chains can *only* be deleted if they contain no rules *and* they are not used as jump targets. +nft delete chain inet base_table input_filter + +# Delete tables. +nft delete table inet 'net_table' +``` + +
+ + + +## Further readings + +- [`iptables`][iptables] + +### Sources + +- [Gentoo wiki] + + + + + +[iptables]: iptables.md + + + + +[Gentoo wiki]: https://wiki.gentoo.org/wiki/Nftables