Page 1 of 1

Where is the default nftables config file?

Posted: 2020/12/26 03:35:12
by Edvard
Hi,

I'm really sorry to ask a newb question, but where is the default nftables configuration file?

I'm using CentOS 8. When I look in /etc/sysconfig/nftables.conf, I find a file with everything commented out

Yes, when I type "sudo nft list ruleset", I get a long listing of tables that's seemingly set up from some other file. I don't where it's from.

I want to write my own nftables rules and append them non-destructively. But they conflict with the OOB rules without flushing them out. It's easy to do that too, but I'd like to know what I'm flushing.

That's where I stand and what my motives are. Much appreciated if you can lend me a hand.

Re: Where is the default nftables config file?

Posted: 2020/12/28 18:03:50
by jlehtone
Edvard wrote:
2020/12/26 03:35:12
I'm using CentOS 8. When I look in /etc/sysconfig/nftables.conf, I find a file with everything commented out

Yes, when I type "sudo nft list ruleset", I get a long listing of tables that's seemingly set up from some other file. I don't where it's from.
Yes, the nftables.conf is all commented out and most of it is ... comments. Instructions.

The instructions say that you could add your ruleset to that file or add include statements to link other files.
Some examples are in /etc/nftables/. They too can include further files.

I have just created my file into /etc/nftables/ and appended include statement into /etc/sysconfig/nftables.conf.


Those (commented) are not the source of your current ruleset.
Do you still have firewalld.service running? Has it run after latest boot? It creates a lot of rules.
Have you tried to look rules with 'iptables -L' (or -S)? Those too create (empty) tables.


RHEL doc tells something: https://access.redhat.com/documentation ... networking

Re: Where is the default nftables config file?

Posted: 2020/12/29 18:57:01
by Edvard
After a fresh reboot, I get this very populated:

Code: Select all

$ sudo nft list ruleset
table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
		counter packets 1661 bytes 607849 jump LIBVIRT_INP
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		counter packets 272 bytes 24247 jump LIBVIRT_FWX
		counter packets 272 bytes 24247 jump LIBVIRT_FWI
		counter packets 272 bytes 24247 jump LIBVIRT_FWO
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		counter packets 1425 bytes 358044 jump LIBVIRT_OUT
	}

	chain LIBVIRT_INP {
		iifname "virbr0" meta l4proto udp udp dport 53 counter packets 0 bytes 0 accept
		iifname "virbr0" meta l4proto tcp tcp dport 53 counter packets 0 bytes 0 accept
		iifname "virbr0" meta l4proto udp udp dport 67 counter packets 0 bytes 0 accept
		iifname "virbr0" meta l4proto tcp tcp dport 67 counter packets 0 bytes 0 accept
	}

	chain LIBVIRT_OUT {
		oifname "virbr0" meta l4proto udp udp dport 53 counter packets 0 bytes 0 accept
		oifname "virbr0" meta l4proto tcp tcp dport 53 counter packets 0 bytes 0 accept
		oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 accept
		oifname "virbr0" meta l4proto tcp tcp dport 68 counter packets 0 bytes 0 accept
	}

	chain LIBVIRT_FWO {
		iifname "virbr0" ip saddr 192.168.122.0/24 counter packets 0 bytes 0 accept
		iifname "virbr0" counter packets 0 bytes 0 reject
	}

	chain LIBVIRT_FWI {
		oifname "virbr0" ip daddr 192.168.122.0/24 ct state related,established counter packets 0 bytes 0 accept
		oifname "virbr0" counter packets 0 bytes 0 reject
	}

	chain LIBVIRT_FWX {
		iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept
	}
}
table ip6 filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
		counter packets 225 bytes 37357 jump LIBVIRT_INP
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		counter packets 0 bytes 0 jump LIBVIRT_FWX
		counter packets 0 bytes 0 jump LIBVIRT_FWI
		counter packets 0 bytes 0 jump LIBVIRT_FWO
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		counter packets 77 bytes 30298 jump LIBVIRT_OUT
	}

	chain LIBVIRT_INP {
	}

	chain LIBVIRT_OUT {
	}

	chain LIBVIRT_FWO {
	}

	chain LIBVIRT_FWI {
	}

	chain LIBVIRT_FWX {
	}
}
table bridge filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}
}
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 210 bytes 16348 jump LIBVIRT_PRT
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}

	chain LIBVIRT_PRT {
		ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 2 bytes 161 return
		ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535 
		meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 1 bytes 146 masquerade to :1024-65535 
		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade 
	}
}
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain INPUT {
		type filter hook input priority mangle; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
		counter packets 1777 bytes 388202 jump LIBVIRT_PRT
	}

	chain LIBVIRT_PRT {
		oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 # CHECKSUM fill
	}
}
table ip6 nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 0 bytes 0 jump LIBVIRT_PRT
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}

	chain LIBVIRT_PRT {
	}
}
table ip6 mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain INPUT {
		type filter hook input priority mangle; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority mangle; policy accept;
		counter packets 83 bytes 30820 jump LIBVIRT_PRT
	}

	chain LIBVIRT_PRT {
	}
}
But:

Code: Select all

$ sudo cat /etc/sysconfig/nftables.conf 
# Uncomment the include statement here to load the default config sample
# in /etc/nftables for nftables service.

#include "/etc/nftables/main.nft"

# To customize, either edit the samples in /etc/nftables, append further
# commands to the end of this file or overwrite it after first service
# start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'.
I have firewalld disabled and would prefer to put in my own firewall rules in, I don't know, maybe /etc/nftables/myrules.nft. I just want to know what startup is writing nftables rules so I can append to it instead of flushing the whole thing.

Re: Where is the default nftables config file?

Posted: 2020/12/29 20:09:34
by jlehtone
Those tables look like they were created by the "iptables" ntf-wrapper tool.
The rules (there are not many) mention "virbr0" and "LIBVIRT".

My guess is that you have "Virtualization" installed (as it is included in GNOME Desktop Environment).
That means libvirtd.service that is enabled by default.
The default libvirt configuration defines a virtual network "default" that is routed, with NAT.
Therefore, libvirtd.service starts on boot, creates virbr0, inserts firewall rules (with "iptables" commands?).

If you don't need libvirtd, then disable that service.
If you need libvirtd, but not the "default" network, then remove that from autostart (with virsh).
Either way, reboot once more to have "clean start".

If you will need virtualization platform and will need routed virtual networks, then figure out how to stop libvirt from inserting firewall rules (because you will do it by other means).

Re: Where is the default nftables config file?

Posted: 2020/12/30 01:29:51
by Edvard
It's my retired laptop enjoying a second life as a home media server, private Minecraft server, and a VPN gateway hub.

AFAIK I could be using it as a headless server, but if I ever want physical access to it, I'd want a desktop environment, so GNOME is installed.

What can I disable safely? I never want to VNC in, since ssh is all I need. If I need physical access, it means I really messed up something, and I can't even get in by ssh.

Re: Where is the default nftables config file?

Posted: 2020/12/30 08:20:09
by jlehtone
Ok, it is clear that you don't need to create virtual machines (VM) to run on top of your CentOS.
Therefore, you can disable the virtualization service:

Code: Select all

sudo systemctl disable libvirtd.service