diff options
author | Arturo Borrero Gonzalez <arturo@netfilter.org> | 2018-02-25 18:36:16 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-02-25 19:50:23 +0100 |
commit | a57299feee1dcdb98df79b91b1822149bd337311 (patch) | |
tree | 3167b8340136ced49152236f756ccd8b24c7312f /files/examples/ct_helpers.nft | |
parent | 6c9230e79339ca4fd662855c84529fa92e962ca5 (diff) |
examples: add ct helper examples
Include some examples in the nftables tarball on using the ct helper
infraestructure, inspired from wiki.nftables.org.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'files/examples/ct_helpers.nft')
-rwxr-xr-x | files/examples/ct_helpers.nft | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/files/examples/ct_helpers.nft b/files/examples/ct_helpers.nft new file mode 100755 index 00000000..07ebb2a2 --- /dev/null +++ b/files/examples/ct_helpers.nft @@ -0,0 +1,43 @@ +#!/usr/sbin/nft -f + +# This example file shows how to use ct helpers in the nftables framework. +# Note that nftables includes interesting improvements compared to how this +# was done with iptables, such as loading multiple helpers with a single rule +# This script is meant to be loaded with `nft -f <file>` +# You require linux kernel >= 4.12 and nft >= 0.8 +# For up-to-date information please visit https://wiki.nftables.org + +# Using ct helpers is an important security feature when doing stateful +# firewalling, since it mitigate certain networking attacks. +# More info at: https://home.regit.org/netfilter-en/secure-use-of-helpers/ + + +flush ruleset +table inet filter { + # declare helpers of this table + ct helper ftp-standard { + type "ftp" protocol tcp; + l3proto inet + } + ct helper sip-5060 { + type "sip" protocol udp; + l3proto inet + } + ct helper tftp-69 { + type "tftp" protocol udp + l3proto inet + } + + chain input { + type filter hook input priority 0; policy drop; + ct state established,related accept + + # assign a single helper in a single rule + tcp dport 21 ct helper set "ftp-standard" + + # assign multiple helpers in a single rule + ct helper set udp dport map { + 69 : "tftp-69", \ + 5060 : "sip-5060" } + } +} |