Nftables Router Tutorial: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(→Setup) |
||
| Line 4: | Line 4: | ||
This tutorial is meant to show how to use <span class="code">nftables</span> to build a router suitable for a home or boat. | This tutorial is meant to show how to use <span class="code">nftables</span> to build a router suitable for a home or boat. | ||
This tutorial is written for [[RHEL]] 9 or distros based on it, like [[AlmaLinux]] 9 and [[Rocky Linux]] 9. | |||
= Setup = | = Setup = | ||
Before we configure <span class="code">nftables</span>, we need to setup the machine first. | |||
== Enabling ipv4 Forwarding == | |||
Make sure that <span class="code">ip_forward</span> is enabled in the kernel. | Make sure that <span class="code">ip_forward</span> is enabled in the kernel. | ||
| Line 55: | Line 61: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Now <span class="code">ip_forward</span> is enabled! | Now <span class="code">ip_forward</span> is enabled! | ||
== Disable firewalld == | |||
The <span class="code">nftables</span> tool is an alternative to <span class="code">firewalld</span>, so we need to disable it. | |||
<syntaxhighlight lang="bash"> | |||
systemctl disable --now firewalld.service | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="text"> | |||
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service". | |||
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service". | |||
</syntaxhighlight> | |||
= Configuring nftables = | = Configuring nftables = | ||
Revision as of 01:44, 28 March 2024
 |
Warning: This is incomplete and untrustworthy! Do not expect anything to be useful or accurate before this warning is removed. |
This tutorial is meant to show how to use nftables to build a router suitable for a home or boat.
This tutorial is written for RHEL 9 or distros based on it, like AlmaLinux 9 and Rocky Linux 9.
Setup
Before we configure nftables, we need to setup the machine first.
Enabling ipv4 Forwarding
Make sure that ip_forward is enabled in the kernel.
sysctl net.ipv4.conf.all.forwarding
net.ipv4.conf.all.forwarding = 0
This shows that it's disabled. To enable it, and make sure it's set when the system reboots, edit (or create) the file "/etc/sysctl.d/99-custom.conf" and add (or update) the lines;
# Added for router function support
net.ipv4.conf.all.forwarding = 1
Now reload the config;
sysctl --system
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
* Applying /usr/lib/sysctl.d/50-coredump.conf ...
* Applying /usr/lib/sysctl.d/50-default.conf ...
* Applying /usr/lib/sysctl.d/50-libkcapi-optmem_max.conf ...
* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
* Applying /usr/lib/sysctl.d/50-redhat.conf ...
* Applying /etc/sysctl.d/99-custom.conf ...
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.conf ...
kernel.yama.ptrace_scope = 0
kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
...<snip>...
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.wlp58s0.rp_filter = 1
net.ipv4.conf.all.forwarding = 1
Now we can verify that forwarding is enabled;
sysctl net.ipv4.conf.all.forwarding
net.ipv4.conf.all.forwarding = 1
Now ip_forward is enabled!
Disable firewalld
The nftables tool is an alternative to firewalld, so we need to disable it.
systemctl disable --now firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
Configuring nftables
References
- Simple ruleset for a home router - nftables Wiki
- Getting started with nftables - (*May required a Red Hat account).
| Any questions, feedback, advice, complaints or meanderings are welcome. | |||
| Alteeve's Niche! | Enterprise Support: Alteeve Support |
Community Support | |
| © Alteeve's Niche! Inc. 1997-2024 | Anvil! "Intelligent Availability®" Platform | ||
| legal stuff: All info is provided "As-Is". Do not use anything here unless you are willing and able to take responsibility for your own actions. | |||