Untitled

############################
# 1) Create a table
# It will contain our 'chains', which in turn will contain our 'rules'.
# I name it 'default' because I don't intend to create multiple for this tutorial... But of course, you can create multiple tables!

nft add table ip default
# (Replace 'ip' with 'ip6' for an IPv6 table)

# To display our created table:

nft list tables

# To delete our table:

nft delete table ip default



############################
# 2) Creating input and output chains:

nft add chain ip default INBOUND_TRAFFIC { type filter hook input priority 0; }
nft add chain ip default OUTBOUND_TRAFFIC { type filter hook output priority 0; }

# To view the chains:
nft list table ip default

# To remove a chain :
nft delete chain ip default OUTBOUND_TRAFFIC



############################
3) Creating our rules

# We open what we need, then we close.
# The last rule is used to close.
# Example: pening a port for TCP (such as HTTPS, for your web server)

nft add rule default INBOUND_TRAFFIC tcp dport 443 accept

# Allowing ping (but not to be pingable):

nft add rule default OUTBOUND_TRAFFIC icmp type echo-request accept
nft add rule default INBOUND_TRAFFIC icmp type echo-reply accept

# Allowing HTTPS outbound:

nft add rule default OUTBOUND_TRAFFIC tcp dport 443 accept

# Closing:

nft add rule default INBOUND_TRAFFIC drop
nft add rule default OUTBOUND_TRAFFIC drop

# To view our rules :

nft -a list table ip default

# Each rule is identifiable by its position and can thus be replaced or modified more easily than before.
# To delete the rule at "handle 1":

nft delete rule default OUTBOUND_TRAFFIC position 1

# To add a rule just before position 1 :

nft insert rule default OUTBOUND_TRAFFIC position 1 ip daddr 132.18.24.16 drop

# Ban an IP :

nft add rule default INBOUND_TRAFFIC ip saddr 132.18.24.16 drop
nft add rule default OUTBOUND_TRAFFIC ip saddr 132.18.24.16 drop

# To ban an entire subnet, replace the IP with CIDR notation: 132.18.24.16/24

# Delete all rules from the OUTBOUND_TRAFFIC in our "default" filter :

nft flush chain default OUTBOUND_TRAFFIC


###########################################################

# Create a scripted rules file: /etc/nftables.conf
A file with a default table already exists; we can make a copy and write our own file, as shown below:
In a way similar to IPF, we indicate the command to use at the beginning of the script.
Please note, what follows is very basic (SSH, http, https, and ping):

#!/sbin/nft -f

# flush last ruleset
flush ruleset 

# Creation of the default table
add table default

# Creation of inbound and outbound flows.
add chain ip default INBOUND_TRAFFIC { type filter hook input priority 0; }
add chain ip default OUTBOUND_TRAFFIC { type filter hook output priority 0; }

# List of rules:
add rule default INBOUND_TRAFFIC tcp dport 22 accept
add rule default OUTBOUND_TRAFFIC tcp sport 22 accept

add rule default INBOUND_TRAFFIC tcp sport 80 accept
add rule default OUTBOUND_TRAFFIC tcp dport 80 accept

add rule default INBOUND_TRAFFIC tcp sport 443 accept
add rule default OUTBOUND_TRAFFIC tcp dport 443 accept

add rule default INBOUND_TRAFFIC udp sport 53 accept
add rule default OUTBOUND_TRAFFIC udp dport 53 accept

add rule default OUTBOUND_TRAFFIC icmp type echo-request accept
add rule default INBOUND_TRAFFIC icmp type echo-reply accept

# Close the firewall :
add rule default INBOUND_TRAFFIC drop
add rule default OUTBOUND_TRAFFIC drop

###################################################"

# I encourage you to refer to the following article for further details (especially regarding the flags):
# https://wiki.gentoo.org/wiki/Nftables/Examples#Typical_workstation_.28separate_IPv4_and_IPv6.29