I-R-Coops Blog

The nerdy life of Cooper Ry Lees !

g33k linux

nftables

By cooperlees #discovery, #ip6, #ipv6, #nd, #neighbor, #nft, #nftables

Are you using the latest Linux kernel firewall?. Here are some notes I've saved that I use and forget all the time.
I plan to add to this as I do more. Hopefully it helps you work something out one day.

Note: I am using inet tables combining my IPv4 and IPv6 rulesets.

List Tables

sudo nft list table inet filter -n -a
sudo nft list table inet nat -n -a

  • -n: numeric
  • -a: handle (object handles)

Add a rule

nft insert rule inet filter OUTPUT position 0 icmpv6 type {nd-router-advert} drop

Delete a rule

nft delete rule inet filter OUTPUT handle 41

ICMPv6 Types

Noting some handy IPv6 ICMP types. I use nftables to block RAs when my WAN is down.

  • nd-router-advert == 134

tcpdump expressions

  • tcpdump -v -i en0 'ip6[40] = 134'

By cooperlees

Related Post

g33k linux tech

systemd … targeting Requires=, Wants, Before= and happily ever After= again …

cooperlees
g33k linux tech

Book REVIEW: Linux Service Management Made Easy with systemd: Advanced techniques to effectively manage, control, and monitor Linux systems and services 1st Edition

cooperlees
g33k python

CLI Templates for Python + Rust

cooperlees

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

g33k linux tech

systemd … targeting Requires=, Wants, Before= and happily ever After= again …

g33k linux tech

Book REVIEW: Linux Service Management Made Easy with systemd: Advanced techniques to effectively manage, control, and monitor Linux systems and services 1st Edition

g33k python

CLI Templates for Python + Rust

cisco g33k juniper linux tech

Stop IPv4 Point-To-Point Addressing your Networks