diff --git a/doc/examples/firewall b/doc/examples/firewall index fce735a..d5fadec 100755 --- a/doc/examples/firewall +++ b/doc/examples/firewall @@ -13,36 +13,36 @@ # to and from the Gn interface. # * Masquerede on Gi interface. -IPTABLES="/sbin/iptables" +NFT="nft" IFGN="eth0" IFGI="eth1" -$IPTABLES -P INPUT DROP -$IPTABLES -P FORWARD ACCEPT -$IPTABLES -P OUTPUT ACCEPT +$NFT add chain ip filter input '{ policy drop; }' +$NFT add chain ip filter forward '{ policy accept; }' +$NFT add chain ip filter output '{ policy accept; }' #Allow related and established on all interfaces (input) -$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +$NFT add rule ip filter input ct state related,established counter accept #Allow releated, established, GTP and ssh on $IFGN. Reject everything else. -$IPTABLES -A INPUT -i $IFGN -p tcp -m tcp --dport 22 --syn -j ACCEPT -$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2123 -j ACCEPT -$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2152 -j ACCEPT -$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 3386 -j ACCEPT -$IPTABLES -A INPUT -i $IFGN -j REJECT +$NFT add rule ip filter input iifname $IFGN tcp dport 22 tcp flags syn / fin,syn,rst,ack counter accept +$NFT add rule ip filter input iifname $IFGN udp dport 2123 counter accept +$NFT add rule ip filter input iifname $IFGN udp dport 2152 counter accept +$NFT add rule ip filter input iifname $IFGN udp dport 3386 counter accept +$NFT add rule ip filter input iifname $IFGN counter reject #Allow related, established and ssh. Drop everything else. -$IPTABLES -A INPUT -i $IFGI -p tcp -m tcp --dport 22 --syn -j ACCEPT -$IPTABLES -A INPUT -i $IFGI -j DROP +$NFT add rule ip filter input iifname $IFGI tcp dport 22 tcp flags syn / fin,syn,rst,ack counter accept +$NFT add rule ip filter input iifname $IFGI counter drop # Masquerade everything going out on $IFGI -$IPTABLES -t nat -A POSTROUTING -o $IFGI -j MASQUERADE +$NFT add rule ip nat POSTROUTING oifname $IFGI counter masquerade #Allow everything on loopback interface. -$IPTABLES -A INPUT -i lo -j ACCEPT +$NFT add rule ip filter input iifname "lo" counter accept # Drop everything to and from $IFGN (forward) -$IPTABLES -A FORWARD -i $IFGN -j DROP -$IPTABLES -A FORWARD -o $IFGN -j DROP +$NFT add rule ip filter forward iifname $IFGN counter drop +$NFT add rule ip filter forward oifname $IFGN counter drop diff --git a/doc/manuals/chapters/mtu.adoc b/doc/manuals/chapters/mtu.adoc index 4c2064c..8b46f7c 100644 --- a/doc/manuals/chapters/mtu.adoc +++ b/doc/manuals/chapters/mtu.adoc @@ -150,13 +150,13 @@ account that TCP header can span up to 56 bytes, we'd get to an MSS value of: MSS = TUNNEL_MTU - IP_HDR - TCP_HDR = 1420 - 60 - 56 = 1304 ---- -In linux, the MSS of TCP connections can be clamped using iptables: +In linux, the MSS of TCP connections can be clamped using nftables: ---- -iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN -i apn0 -j TCPMSS --set-mss 1304 -iptables -t nat -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o apn0 -j TCPMSS --set-mss 1304 -ip6tables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN -i apn0 -j TCPMSS --set-mss 1304 -ip6tables -t nat -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o apn0 -j TCPMSS --set-mss 1304 +nft 'add rule ip nat prerouting iifname "apn0" tcp flags syn / syn,rst counter tcp option maxseg size set 1304' +nft 'insert rule ip nat postrouting oifname "apn0" tcp flags syn / syn,rst counter tcp option maxseg size set 1304' +nft 'add rule ip6 nat prerouting iifname "apn0" tcp flags syn / syn,rst counter tcp option maxseg size set 1304' +nft 'insert rule ip6 nat postrouting oifname "apn0" tcp flags syn / syn,rst counter tcp option maxseg size set 1304' ---- ==== Further Reading diff --git a/doc/manuals/chapters/running.adoc b/doc/manuals/chapters/running.adoc index 386b6b5..99fa11d 100644 --- a/doc/manuals/chapters/running.adoc +++ b/doc/manuals/chapters/running.adoc @@ -43,14 +43,14 @@ To manually enable IPv4 forwarding and masquerading ad-hoc, you can do: ---- sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" -iptables -t nat -A POSTROUTING -o '*' -j MASQUERADE +nft 'add rule ip nat postrouting oifname "\*" counter masquerade' ---- (You may want to replace `*` with the network device name, like `-o eth0`) There are various ways to enable these settings persistently, please refer to your distribution's documentation -- e.g. look for @net.ipv4.ip_forward=1@ in -@/etc/sysctl.d/@, and https://wiki.debian.org/iptables for masquerading. +@/etc/sysctl.d/@, and https://wiki.debian.org/nftables for masquerading. include::{srcdir}/chapters/mtu.adoc[]