= Linux/NfTablesFirewall =
 * 2022 the 4th gen Linux firewall configuration Net Filter Tables.
=== NFT commands ===
 * Ensure NFT is enabled {{{
systemctl status nftables
systemctl enable --now nftables
}}}

 * List tables {{{
nft list ruleset

nft list tables

nft list table ip filter
nft list table ip nat
}}}

 * Chain bindings to netfilter hooks 
    || Family || Hooks ||
    || ip / ip6 / inet || pre-routing, ingress, forwarding, egress, post-routing ||
    || arp || enter exit ||
    || pont || pre-routing, ingress, forwarding, egress, post-routing ||

=== NFT and Docker ===
 * Link: https://ehlers.berlin/blog/nftables-and-docker/
 * Docker still uses iptables to add rules, this can work with nftables, with some simple rules
   1. Start nft first, by using /etc/nftables.conf , started by systemctl
   2. Use names iptables/docker expect, and can add rules to. ''' INPUT, OUTPUT & FORWARD '''

=== Examples ===
 * Basic nft fW {{{
#!nft
#!/sbin/nft -f
# sysctl -w net.ipv4.ip_forward=1
flush ruleset

table ip filter {
        # allow all packets sent by the firewall machine itself
        chain outp { type filter hook output priority 101; policy accept; }

        # allow LAN to firewall, disallow WAN to firewall
        chain inp { type filter hook input priority 1; policy accept; }

        # allow packets from LAN to WIFI and back
        chain fwd-wifi { type filter hook forward priority 1; policy drop;
                iifname "eth1" oifname "wlan0" accept
                iifname "wlan1" oifname "eth0" accept
        }
}

table ip nat {
        # also wlan1(wifi) to eth0(lan)
        chain postrout { type nat hook postrouting priority 101; policy accept;
                oifname "eth1" masquerade
        }
}

}}}

 * Port knocking example - https://wiki.nftables.org/wiki-nftables/index.php/Port_knocking_example