Nftables Router Tutorial: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 10: | Line 10: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
sysctl net.ipv4.conf.all.forwarding | |||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang="text"> | <syntaxhighlight lang="text"> | ||
0 | net.ipv4.conf.all.forwarding = 0 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
This shows that it's disabled. To enable it, | This shows that it's disabled. To enable it, and make sure it's set when the system reboots, edit (or create) the file "<span class="code">/etc/sysctl.d/99-custom.conf</span>" and add (or update) the lines; | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# Added for router function support | |||
net.ipv4.conf.all.forwarding = 1 | |||
</syntaxhighlight> | |||
Now reload the config; | |||
<syntaxhighlight lang="bash"> | |||
sysctl --system | |||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang="text"> | <syntaxhighlight lang="text"> | ||
1 | * Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ... | ||
* Applying /usr/lib/sysctl.d/50-coredump.conf ... | |||
* Applying /usr/lib/sysctl.d/50-default.conf ... | |||
* Applying /usr/lib/sysctl.d/50-libkcapi-optmem_max.conf ... | |||
* Applying /usr/lib/sysctl.d/50-pid-max.conf ... | |||
* Applying /usr/lib/sysctl.d/50-redhat.conf ... | |||
* Applying /etc/sysctl.d/99-custom.conf ... | |||
* Applying /etc/sysctl.d/99-sysctl.conf ... | |||
* Applying /etc/sysctl.conf ... | |||
kernel.yama.ptrace_scope = 0 | |||
kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h | |||
...<snip>... | |||
net.ipv4.conf.lo.rp_filter = 1 | |||
net.ipv4.conf.wlp58s0.rp_filter = 1 | |||
net.ipv4.conf.all.forwarding = 1 | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Now we can verify that forwarding is enabled; | |||
<syntaxhighlight lang="bash"> | |||
sysctl net.ipv4.conf.all.forwarding | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="text"> | |||
net.ipv4.conf.all.forwarding = 1 | |||
</syntaxhighlight> | |||
Now <span class="code">ip_forward</span> is enabled! | |||
= Configuring nftables = | |||
Revision as of 01:31, 28 March 2024
|
Alteeve Wiki :: How To :: Nftables Router Tutorial |
 |
Warning: This is incomplete and untrustworthy! Do not expect anything to be useful or accurate before this warning is removed. |
This tutorial is meant to show how to use nftables to build a router suitable for a home or boat.
Setup
Make sure that ip_forward is enabled in the kernel.
sysctl net.ipv4.conf.all.forwarding
net.ipv4.conf.all.forwarding = 0
This shows that it's disabled. To enable it, and make sure it's set when the system reboots, edit (or create) the file "/etc/sysctl.d/99-custom.conf" and add (or update) the lines;
# Added for router function support
net.ipv4.conf.all.forwarding = 1
Now reload the config;
sysctl --system
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
* Applying /usr/lib/sysctl.d/50-coredump.conf ...
* Applying /usr/lib/sysctl.d/50-default.conf ...
* Applying /usr/lib/sysctl.d/50-libkcapi-optmem_max.conf ...
* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
* Applying /usr/lib/sysctl.d/50-redhat.conf ...
* Applying /etc/sysctl.d/99-custom.conf ...
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.conf ...
kernel.yama.ptrace_scope = 0
kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
...<snip>...
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.wlp58s0.rp_filter = 1
net.ipv4.conf.all.forwarding = 1
Now we can verify that forwarding is enabled;
sysctl net.ipv4.conf.all.forwarding
net.ipv4.conf.all.forwarding = 1
Now ip_forward is enabled!
Configuring nftables
References
- Simple ruleset for a home router - nftables Wiki
- Getting started with nftables - (*May required a Red Hat account).
| Any questions, feedback, advice, complaints or meanderings are welcome. | |||
| Alteeve's Niche! | Alteeve Enterprise Support | Community Support | |
| © 2025 Alteeve. Intelligent Availability® is a registered trademark of Alteeve's Niche! Inc. 1997-2025 | |||
| legal stuff: All info is provided "As-Is". Do not use anything here unless you are willing and able to take responsibility for your own actions. | |||