nft list ruleset
nft list ruleset > /etc/nftables.conf
nft -f <<dateiname>>
nft list tables
nft add rule inet filter input ip daddr 127.0.0.8 drop
Erstmal handle herausfinden:
nft --handle --numeric list chain inet filter input
Dann entsprechendes Handle löschen
nft delete rule inet filter input handle 21
apt install nftables
Konfigurationsdatei:
/etc/nftables.conf
https://openwrt.org/docs/guide-user/firewall/misc/nftables
Man kann auf OpenWrt auch nftables verwenden, allerdings muss man die Regeln dann über die Kommandozeile und ohne UCI steuern.
# Variables
define ipv6_ofden = 2001:1234:1234:1b::/64define ipv6_rx = 2a00:1234:0:108::/64define ipv6_trusted = { $ipv6_ofden, $ipv6_rx }define port_ssh_local = 58081define port_rocketchat = 3000
table inet filter { chain inputtrusted { type filter hook input priority 0; policy accept; }
chain input { type filter hook input priority 0; policy drop; # STATES ct state established,related accept ct state invalid drop # Input Interface iif "lo" accept
# Generals icmpv6 type { destination-unreachable, echo-request, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, d-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept icmp type { echo-request, destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept ip protocol igmp accept
# Allow Incoming http Traffic tcp dport { http, https } accept # Allow Incoming RocketChat Traffic tcp dport { $port_rocketchat } accept # SSH alternative Port tcp dport { $port_ssh_local } accept # doesn't work ip6 saddr $ipv6_trusted accept
}
chain forward { type filter hook forward priority 0; policy drop; }
chain output { type filter hook output priority 0; policy accept; }
}