Firewall on Dhoomketu

Using nftables for dynamic rules

Thu, 09 Oct 2025 00:00:00 +0000

Create ruleset

File `nftables.conf`

table inet mytable {
    set block_network {
        type ipv4_addr
        timeout 1h
        flags interval
    }
    set block_network6 {
        type ipv6_addr
        timeout 1h
        flags interval
    }

    chain input {
        type filter hook input priority 0;
        ip saddr @block_network drop
        ip6 saddr @block_network6 drop
    }
}

Load ruleset

nft -f nftables.conf

List ruleset

nft list ruleset

Add element

nft add element ip my_filter block_network { 192.0.2.0/24; }
nft add element ip6 my_filter block_network6 { 2001:db8::/32; }

Delete element

nft delete element ip my_filter block_network { 192.0.2.0/24; }
nft delete element ip6 my_filter block_network6 { 2001:db8::/32; }

Flush set

nft flush ip my_filter block_network
nft flush ip6 my_filter block_network6

Backup

nft list ruleset > nftables.conf

Restore

nft restore < nftables.conf

Delete

Table

nft delete table inet mytable

Set

nft delete set ip my_filter block_network
nft delete set ip6 my_filter block_network6

Rule

nft delete rule ip my_filter INPUT ip saddr @block_network drop
nft delete rule ip6 my_filter INPUT ip6 saddr @block_network6 drop

Using ipset for dynamic rules

Wed, 25 Jun 2025 00:00:00 +0000

Create set

IPv4

ipset create block_network hash:net family inet
ipset create block_network hash:net timeout 3600 family inet

IPv6

ipset create block_network6 hash:net family inet6
ipset create block_network6 hash:net timeout 3600 family inet6

Create firewall rules

IPv4

iptables -I INPUT -m set --match-set block_network src -j DROP

IPv6

ip6tables -I INPUT -m set --match-set block_network6 src -j DROP

Block network

IPv4

ipset add block_network 192.0.2.0/24

IPv6

ipset add block_network6 2001:db8::/32

Unblock network

IPv4

ipset del block_network 192.0.2.0/24

IPv6

ipset del block_network6 2001:db8::/32

Flush set

IPv4

ipset flush block_network

IPv6

ipset flush block_network6

Delete set

ipset destroy block_network
ipset destroy block_network6

Backup

ipset save block_network > block_network.ipset
ipset save block_network6 > block_network6.ipset

Restore

ipset restore < block_network.ipset
ipset restore < block_network6.ipset

Delete firewall

iptables -D INPUT -m set --match-set block_network src -j DROP
ip6tables -D INPUT -m set --match-set block_network6 src -j DROP

Firewall on Dhoomketu

Using nftables for dynamic rules

Create ruleset

File nftables.conf

Load ruleset

List ruleset

Add element

Delete element

Flush set

Backup

Restore

Delete

Table

Set

Rule

Using ipset for dynamic rules

Create set

IPv4

IPv6

Create firewall rules

IPv4

IPv6

Block network

IPv4

IPv6

Unblock network

IPv4

IPv6

Flush set

IPv4

IPv6

Delete set

Backup

Restore

Delete firewall

File `nftables.conf`