For an embedded application, I want to configure the firewall dynamically. My idea is to make a separate table for each service. So I can use 'nft flush inet table' to clear the ruleset of a table and set it again. So I made tables for snmp, www, ssh, etc. So far so good, but how can I block the rest of the ports? I have created another table with 'type filter hook input priority 0; policy drop;'. But no matter with which priority, after that ALL ports are blocked. What am I doing wrong in my first steps with nftabeles? Thanks for your help
My config:
table inet firewall {
chain input {
type filter hook input priority 0; policy accept;
ct state invalid drop
ct state established,related accept
iifname "lo" counter packets 0 bytes 0 accept
iifname "lo" ip saddr != 127.0.0.0/8 drop
iifname "lo" ip6 saddr != ::1 drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
ct state established accept
oifname "lo" counter packets 0 bytes 0 accept
oifname "lo" ip daddr != 127.0.0.0/8 drop
oifname "lo" ip6 daddr != ::1 drop
}
}
table inet web {
chain input {
type filter hook input priority 0; policy accept;
tcp dport 80 accept
tcp dport 443 accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table inet snmp {
chain input {
type filter hook input priority 0; policy accept;
udp dport 161 accept
}
chain output {
type filter hook output priority 0; policy accept;
udp dport 162 drop
}
}
table inet opc {
chain input {
type filter hook input priority 0; policy accept;
tcp dport 4840 drop
udp dport 4840 drop
}
