Matching connection tracking stateful metainformation: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
m (Reword intro, link Wikipedia stateful firewall article.)
(→‎Matching the state information: Edited for clarity, removed link now included in Connection Tracking System page.)
Line 7: Line 7:
* Status information: ''expected'', ''seen-reply'', ''assured'', ''confirmed'', ''snat'', ''dnat'', ''dying''.
* Status information: ''expected'', ''seen-reply'', ''assured'', ''confirmed'', ''snat'', ''dnat'', ''dying''.


== Matching the state information ==
== Matching the conntrack state ==


The following example shows how to deploy an extremely simple stateful firewall with ''nftables'':
The following example shows how to deploy an extremely simple stateful firewall with nftables:


<source lang="bash">
<source lang="bash">
Line 16: Line 16:
</source>
</source>


The rule #1 allows packets that are part of an already established communication with the network. Thus, any attempt from a computer in the network to reach your computer will be dropped. However, the traffic that is part of a flow that you have started will be accepted. Note that the example above uses a comma separated list of the states that you want to match.
Rule #1 accepts packets that are part of an already established communication with the network. Rule #2 drops all other packets. Thus, any attempt from a computer in the network to initiate a new connection to your computer will be blocked. However, traffic that is part of a flow that you have started will be accepted. Note that the example above uses a comma-separated list of the conntrack states that you want to match.
 
If you are not familiar with Netfilter flow state machine, you can give a quick read to this [https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#STATEMACHINE link].


== Matching the conntrack mark ==
== Matching the conntrack mark ==

Revision as of 13:21, 15 February 2021

As with iptables, nftables can match connection state tracking information (often referred to as conntrack or ct information) maintained by netfilter's Connection Tracking System to deploy stateful firewalls.

nftables provides the ct selector which can be used to match:

  • State information: new, established, related and invalid. In this regard, there is no changes with iptables.
  • The conntrack mark.
  • Status information: expected, seen-reply, assured, confirmed, snat, dnat, dying.

Matching the conntrack state

The following example shows how to deploy an extremely simple stateful firewall with nftables: 

nft add rule filter input ct state established,related counter accept #1
nft add rule filter input counter drop #2

Rule #1 accepts packets that are part of an already established communication with the network. Rule #2 drops all other packets. Thus, any attempt from a computer in the network to initiate a new connection to your computer will be blocked. However, traffic that is part of a flow that you have started will be accepted. Note that the example above uses a comma-separated list of the conntrack states that you want to match.

Matching the conntrack mark

The following example shows how to match packets based on the conntrack mark: 

nft add rule filter input ct mark 123 counter

To know more about conntrack marks and packet marks, see Setting packet metainformation.

Matching the conntrack helper

The following example shows how to match packets based on the conntrack helper: 

nft add rule filter input ct helper "ftp" counter
Retrieved from "http://wiki.nftables.org/wiki-nftables/index.php?title=Matching_connection_tracking_stateful_metainformation&oldid=708"