For an embedded application, I want to configure the firewall dynamically. My idea is to make a separate table for each service. So I can use 'nft flush inet table' to clear the ruleset of a table and set it again. So I made tables for snmp, www, ssh, etc. So far so good, but how can I block the rest of the ports? I have created another table with 'type filter hook input priority 0; policy drop;'. But no matter with which priority, after that ALL ports are blocked. What am I doing wrong in my first steps with nftabeles? Thanks for your help
My config:
table inet firewall {
chain input {
type filter hook input priority 0; policy accept;
ct state invalid drop
ct state established,related accept
iifname "lo" counter packets 0 bytes 0 accept
iifname "lo" ip saddr != 127.0.0.0/8 drop
iifname "lo" ip6 saddr != ::1 drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
ct state established accept
oifname "lo" counter packets 0 bytes 0 accept
oifname "lo" ip daddr != 127.0.0.0/8 drop
oifname "lo" ip6 daddr != ::1 drop
}
}
table inet web {
chain input {
type filter hook input priority 0; policy accept;
tcp dport 80 accept
tcp dport 443 accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table inet snmp {
chain input {
type filter hook input priority 0; policy accept;
udp dport 161 accept
}
chain output {
type filter hook output priority 0; policy accept;
udp dport 162 drop
}
}
table inet opc {
chain input {
type filter hook input priority 0; policy accept;
tcp dport 4840 drop
udp dport 4840 drop
}
Found it! 'Policy drop' works well when working only on the same table. The additional management must be done via 'chains', which are added to the table as 'regular chains'. In the 'base chain' call the individual rule sets with 'jump xyz'.