IPv6: NAT64, DNS64, 464XLAT, DHCPv6, SLAAC, and nftables

# IPv6: NAT64, DNS64, 464XLAT, DHCPv6, SLAAC, and nftables [Netfilter](https://netfilter.org/index.html) is the packet filtering framework for linux. Why use nftables instead of {ip,ip6,eb,arp}tables besides tidyness? A non-trivial case would be to target IPv4 and IPv6 at the same time activating necessary tables and chains.[^why-nftables] [firewalld libnftables](https://firewalld.org/2019/09/libnftables-JSON) Libvirt and firewalld on CentOS 8 uses nftables as backend; even the `iptables` command is a symlink to `xtables-nft-multi` as observed by ``` readlink $(which iptables) ``` > In other words, if nftables is running behind firewalld, the rules displayed in iptables are incorrect! > So use nft instead of iptables to check the rules![^CompareFirewalld] ![](https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg) ## Netlink sockets, UNIX domain sockets, and INET sockets - INET sockets - across the internet - ip/port - the archetypical sockets - UNIX domain sockets - IPC - inode - IPC with socket semantics - Netlink sockets - user-kernel (mainly) or IPC (rarely) - PID - asynchronous version of ioctl with socket semantics ## Network Namespace A network namespace is a new network stack with its own devices and routing tables. Devices can be moved between network namespaces. See details with `info ip-netns`; here is a summary. List all network namespaces: ``` ip netns list ``` Note that their is always a default network namespace which can't be listed. Monitor network namespace addition and deletion: ``` ip netns monitor ``` Create a network namespace: ``` ip netns add <ns> ``` Move a device to a network namespace: ``` ip link set <dev> netns <ns> ``` Attach a PID to a network namespace: ``` ip netns attach <ns> <pid> ``` List all PIDs attached to a network namespace: ``` ip netns pids <ns> ``` Determine the network namespace a process is attached to: ``` ip netns identify <pid> ``` Delete one or all network namespaces: (deletion actually takes place when there is no active process attached to the netns) ``` ip netns delete <ns> ip -all netns delete ``` To kill all processes attached to a network namespace and delete the network namespace: ``` ip netns pids <ns> | xargs kill && ip netns del <ns> ``` Execute a command in a network namespace: (the following are equivalent) ``` ip netns exec <ns> ... ``` To list the the devices in a network namespace, execute `ip link` in the network namespace: ``` ip netns exec <ns> ip link ``` Note that the above is equivalent to the following shorthand: ``` ip -n <ns> link ``` Execute a command in all network namespace: (the command will be executed synchronously regardless of failures in any network namespace) ``` ip -all netns exec ... ``` ## veth A veth is a pair of connected virtual devices created with: ``` ip link add <dev1> type veth peer name <dev2> ``` Packets entering one device exists the other as-is. The behaviour resembles two NICs connected with a single cable. To assign network namespaces to upon creation: ``` ip link add <dev1> netns <ns1> type veth peer <dev2> netns <ns2> ``` The devices are referred to by their names *dev1* and *dev2*, e.g., ``` ip addr show <dev1> ip addr show <dev2> ``` However, iproute2 will almost always *display* the name of *dev1* by *dev1@dev2* and that of *dev2* by *dev2@dev1*. The devices refer to each other as peers. To get the peer of a device: ``` ethtool -S <dev> | grep peer_ifindex ``` Since the physical device *eth0* has no peer, the command prints nothing: ``` ethtool -S eth0 | grep peer_ifindex ``` Whereas, the following should print `peer_ifindex: <index>`: ``` ethtool -S <dev1> | grep peer_ifindex ``` such that `ip link | grep '^<index>:'` prints ``` <index>: <dev2>@<dev1>: ... ``` This informs us that the peer of *dev1* is *dev2*; recall that *dev2* is displayed as *dev2@dev1* by iproute2. ## ip-link and ip-addr Rename a device: ``` ip link set <dev> name <name> ``` Bring up a device: ``` ip link set <dev> up ``` Add address to device: ``` ip addr add <ip>/<mask> dev <dev> ``` ## On a Fresh Fedora Installation There are no iptables rules?! ``` iptables -L -n -vvv --line-numbers ``` ```iptables Chain INPUT (policy ACCEPT 27785 packets, 9887K bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 31046 packets, 2815K bytes) num pkts bytes target prot opt in out source destination ``` List tables: ``` nft list tables ``` ``` table ip filter table ip6 filter table bridge filter table ip security table ip raw table ip mangle table ip nat table ip6 security table ip6 raw table ip6 mangle table ip6 nat table bridge nat table inet firewalld table ip firewalld table ip6 firewalld ``` List chains in table: ``` nft list table inet firewalld ``` ```nft table inet firewalld { chain raw_PREROUTING { type filter hook prerouting priority raw + 10; policy accept; icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept meta nfproto ipv6 fib saddr . iif oif missing drop jump raw_PREROUTING_ZONES } chain raw_PREROUTING_ZONES { iifname "wg-dell" goto raw_PRE_public iifname "enp3s0" goto raw_PRE_public goto raw_PRE_public } chain mangle_PREROUTING { type filter hook prerouting priority mangle + 10; policy accept; jump mangle_PREROUTING_ZONES } chain mangle_PREROUTING_ZONES { iifname "wg-dell" goto mangle_PRE_public iifname "enp3s0" goto mangle_PRE_public goto mangle_PRE_public } chain filter_INPUT { type filter hook input priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept jump filter_INPUT_ZONES ct state { invalid } drop reject with icmpx type admin-prohibited } chain filter_FORWARD { type filter hook forward priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable jump filter_FORWARD_IN_ZONES jump filter_FORWARD_OUT_ZONES ct state { invalid } drop reject with icmpx type admin-prohibited } chain filter_OUTPUT { type filter hook output priority filter + 10; policy accept; oifname "lo" accept ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable } chain filter_INPUT_ZONES { iifname "wg-dell" goto filter_IN_public iifname "enp3s0" goto filter_IN_public goto filter_IN_public } chain filter_FORWARD_IN_ZONES { iifname "wg-dell" goto filter_FWDI_public iifname "enp3s0" goto filter_FWDI_public goto filter_FWDI_public } chain filter_FORWARD_OUT_ZONES { oifname "wg-dell" goto filter_FWDO_public oifname "enp3s0" goto filter_FWDO_public goto filter_FWDO_public } chain raw_PRE_public { jump raw_PRE_public_pre jump raw_PRE_public_log jump raw_PRE_public_deny jump raw_PRE_public_allow jump raw_PRE_public_post } chain raw_PRE_public_pre { } chain raw_PRE_public_log { } chain raw_PRE_public_deny { } chain raw_PRE_public_allow { } chain raw_PRE_public_post { } chain filter_IN_public { jump filter_IN_public_pre jump filter_IN_public_log jump filter_IN_public_deny jump filter_IN_public_allow jump filter_IN_public_post meta l4proto { icmp, ipv6-icmp } accept } chain filter_IN_public_pre { } chain filter_IN_public_log { } chain filter_IN_public_deny { } chain filter_IN_public_allow { tcp dport 22 ct state { new, untracked } accept ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept } chain filter_IN_public_post { } chain filter_FWDI_public { jump filter_FWDI_public_pre jump filter_FWDI_public_log jump filter_FWDI_public_deny jump filter_FWDI_public_allow jump filter_FWDI_public_post meta l4proto { icmp, ipv6-icmp } accept } chain filter_FWDI_public_pre { } chain filter_FWDI_public_log { } chain filter_FWDI_public_deny { } chain filter_FWDI_public_allow { } chain filter_FWDI_public_post { } chain mangle_PRE_public { jump mangle_PRE_public_pre jump mangle_PRE_public_log jump mangle_PRE_public_deny jump mangle_PRE_public_allow jump mangle_PRE_public_post } chain mangle_PRE_public_pre { } chain mangle_PRE_public_log { } chain mangle_PRE_public_deny { } chain mangle_PRE_public_allow { } chain mangle_PRE_public_post { } chain filter_FWDO_public { jump filter_FWDO_public_pre jump filter_FWDO_public_log jump filter_FWDO_public_deny jump filter_FWDO_public_allow jump filter_FWDO_public_post } chain filter_FWDO_public_pre { } chain filter_FWDO_public_log { } chain filter_FWDO_public_deny { } chain filter_FWDO_public_allow { } chain filter_FWDO_public_post { } } ``` ## On a Server with firewalld and libvirt ```iptables Chain INPUT (policy ACCEPT 178K packets, 47M bytes) num pkts bytes target prot opt in out source destination 1 461 28163 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 2 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 3 59 18237 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 4 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 5 0 0 ACCEPT udp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 6 0 0 ACCEPT tcp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 7 0 0 ACCEPT udp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 8 0 0 ACCEPT tcp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 9 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 10 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 11 0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 12 0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 Chain FORWARD (policy DROP 28 packets, 1456 bytes) num pkts bytes target prot opt in out source destination 1 4922 31M ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED 2 4705 342K ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 3 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 4 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 5 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 6 0 0 ACCEPT all -- eno1np0 virbr2 0.0.0.0/0 10.0.1.0/24 ctstate RELATED,ESTABLISHED 7 0 0 ACCEPT all -- virbr2 eno1np0 10.0.1.0/24 0.0.0.0/0 8 0 0 ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0 9 0 0 REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 10 0 0 REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 11 87361 63M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 12 87361 63M DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 13 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 14 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 15 0 0 ACCEPT all -- eno1np0 virbr1 0.0.0.0/0 10.0.0.0/24 ctstate RELATED,ESTABLISHED 16 0 0 ACCEPT all -- virbr1 eno1np0 10.0.0.0/24 0.0.0.0/0 17 0 0 ACCEPT all -- virbr1 virbr1 0.0.0.0/0 0.0.0.0/0 18 0 0 REJECT all -- * virbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 19 0 0 REJECT all -- virbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 20 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 21 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 22 62860 21M ACCEPT all -- wg-dev-main wg-dev-main 0.0.0.0/0 0.0.0.0/0 23 17000 1170K ACCEPT all -- wg-dev-main eno1np0 0.0.0.0/0 0.0.0.0/0 24 7473 41M ACCEPT all -- eno1np0 wg-dev-main 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 144K packets, 80M bytes) num pkts bytes target prot opt in out source destination 1 59 19352 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68 2 0 0 ACCEPT udp -- * virbr2 0.0.0.0/0 0.0.0.0/0 udp dpt:68 3 0 0 ACCEPT udp -- * virbr1 0.0.0.0/0 0.0.0.0/0 udp dpt:68 Chain DOCKER (1 references) num pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) num pkts bytes target prot opt in out source destination 1 87361 63M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (0 references) num pkts bytes target prot opt in out source destination 1 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) num pkts bytes target prot opt in out source destination 1 87361 63M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ``` ```nft table inet firewalld { ct helper helper-tftp-udp { type "tftp" protocol udp l3proto inet } chain raw_PREROUTING { type filter hook prerouting priority raw + 10; policy accept; icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept meta nfproto ipv6 fib saddr . iif oif missing drop jump raw_PREROUTING_ZONES_SOURCE jump raw_PREROUTING_ZONES } chain raw_PREROUTING_ZONES_SOURCE { } chain raw_PREROUTING_ZONES { iifname "eno2np1" goto raw_PRE_public iifname "eno1np0" goto raw_PRE_public iifname "wg-dev-main" goto raw_PRE_trusted iifname "lo" goto raw_PRE_trusted iifname "pfsense@eno1np0" goto raw_PRE_public iifname "virbr1" goto raw_PRE_libvirt iifname "virbr2" goto raw_PRE_libvirt iifname "virbr4" goto raw_PRE_libvirt iifname "virbr5" goto raw_PRE_libvirt iifname "virbr0" goto raw_PRE_libvirt iifname "virbr6" goto raw_PRE_libvirt iifname "virbr7" goto raw_PRE_libvirt iifname "virbr3" goto raw_PRE_libvirt goto raw_PRE_public } chain mangle_PREROUTING { type filter hook prerouting priority mangle + 10; policy accept; jump mangle_PREROUTING_ZONES_SOURCE jump mangle_PREROUTING_ZONES } chain mangle_PREROUTING_ZONES_SOURCE { } chain mangle_PREROUTING_ZONES { iifname "eno2np1" goto mangle_PRE_public iifname "eno1np0" goto mangle_PRE_public iifname "wg-dev-main" goto mangle_PRE_trusted iifname "lo" goto mangle_PRE_trusted iifname "pfsense@eno1np0" goto mangle_PRE_public iifname "virbr1" goto mangle_PRE_libvirt iifname "virbr2" goto mangle_PRE_libvirt iifname "virbr4" goto mangle_PRE_libvirt iifname "virbr5" goto mangle_PRE_libvirt iifname "virbr0" goto mangle_PRE_libvirt iifname "virbr6" goto mangle_PRE_libvirt iifname "virbr7" goto mangle_PRE_libvirt iifname "virbr3" goto mangle_PRE_libvirt goto mangle_PRE_public } chain filter_INPUT { type filter hook input priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept jump filter_INPUT_ZONES_SOURCE jump filter_INPUT_ZONES ct state { invalid } drop reject with icmpx type admin-prohibited } chain filter_FORWARD { type filter hook forward priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable jump filter_FORWARD_IN_ZONES_SOURCE jump filter_FORWARD_IN_ZONES jump filter_FORWARD_OUT_ZONES_SOURCE jump filter_FORWARD_OUT_ZONES ct state { invalid } drop reject with icmpx type admin-prohibited } chain filter_OUTPUT { type filter hook output priority filter + 10; policy accept; oifname "lo" accept ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable } chain filter_INPUT_ZONES_SOURCE { } chain filter_INPUT_ZONES { iifname "eno2np1" goto filter_IN_public iifname "eno1np0" goto filter_IN_public iifname "wg-dev-main" goto filter_IN_trusted iifname "lo" goto filter_IN_trusted iifname "pfsense@eno1np0" goto filter_IN_public iifname "virbr1" goto filter_IN_libvirt iifname "virbr2" goto filter_IN_libvirt iifname "virbr4" goto filter_IN_libvirt iifname "virbr5" goto filter_IN_libvirt iifname "virbr0" goto filter_IN_libvirt iifname "virbr6" goto filter_IN_libvirt iifname "virbr7" goto filter_IN_libvirt iifname "virbr3" goto filter_IN_libvirt goto filter_IN_public } chain filter_FORWARD_IN_ZONES_SOURCE { } chain filter_FORWARD_IN_ZONES { iifname "eno2np1" goto filter_FWDI_public iifname "eno1np0" goto filter_FWDI_public iifname "wg-dev-main" goto filter_FWDI_trusted iifname "lo" goto filter_FWDI_trusted iifname "pfsense@eno1np0" goto filter_FWDI_public iifname "virbr1" goto filter_FWDI_libvirt iifname "virbr2" goto filter_FWDI_libvirt iifname "virbr4" goto filter_FWDI_libvirt iifname "virbr5" goto filter_FWDI_libvirt iifname "virbr0" goto filter_FWDI_libvirt iifname "virbr6" goto filter_FWDI_libvirt iifname "virbr7" goto filter_FWDI_libvirt iifname "virbr3" goto filter_FWDI_libvirt goto filter_FWDI_public } chain filter_FORWARD_OUT_ZONES_SOURCE { } chain filter_FORWARD_OUT_ZONES { oifname "eno2np1" goto filter_FWDO_public oifname "eno1np0" goto filter_FWDO_public oifname "wg-dev-main" goto filter_FWDO_trusted oifname "lo" goto filter_FWDO_trusted oifname "pfsense@eno1np0" goto filter_FWDO_public oifname "virbr1" goto filter_FWDO_libvirt oifname "virbr2" goto filter_FWDO_libvirt oifname "virbr4" goto filter_FWDO_libvirt oifname "virbr5" goto filter_FWDO_libvirt oifname "virbr0" goto filter_FWDO_libvirt oifname "virbr6" goto filter_FWDO_libvirt oifname "virbr7" goto filter_FWDO_libvirt oifname "virbr3" goto filter_FWDO_libvirt goto filter_FWDO_public } chain raw_PRE_libvirt { jump raw_PRE_libvirt_pre jump raw_PRE_libvirt_log jump raw_PRE_libvirt_deny jump raw_PRE_libvirt_allow jump raw_PRE_libvirt_post } chain raw_PRE_libvirt_pre { } chain raw_PRE_libvirt_log { } chain raw_PRE_libvirt_deny { } chain raw_PRE_libvirt_allow { } chain raw_PRE_libvirt_post { } chain filter_IN_libvirt { jump filter_IN_libvirt_pre jump filter_IN_libvirt_log jump filter_IN_libvirt_deny jump filter_IN_libvirt_allow jump filter_IN_libvirt_post accept } chain filter_IN_libvirt_pre { } chain filter_IN_libvirt_log { } chain filter_IN_libvirt_deny { } chain filter_IN_libvirt_allow { udp dport 67 ct state { new, untracked } accept udp dport 547 ct state { new, untracked } accept tcp dport 53 ct state { new, untracked } accept udp dport 53 ct state { new, untracked } accept tcp dport 22 ct state { new, untracked } accept udp dport 69 ct helper set "helper-tftp-udp" udp dport 69 ct state { new, untracked } accept udp dport 6230 ct state { new, untracked } accept tcp dport 8080 ct state { new, untracked } accept tcp dport 8081 ct state { new, untracked } accept meta l4proto icmp ct state { new, untracked } accept meta l4proto ipv6-icmp ct state { new, untracked } accept } chain filter_IN_libvirt_post { reject } chain mangle_PRE_libvirt { jump mangle_PRE_libvirt_pre jump mangle_PRE_libvirt_log jump mangle_PRE_libvirt_deny jump mangle_PRE_libvirt_allow jump mangle_PRE_libvirt_post } chain mangle_PRE_libvirt_pre { } chain mangle_PRE_libvirt_log { } chain mangle_PRE_libvirt_deny { } chain mangle_PRE_libvirt_allow { } chain mangle_PRE_libvirt_post { } chain filter_FWDI_libvirt { jump filter_FWDI_libvirt_pre jump filter_FWDI_libvirt_log jump filter_FWDI_libvirt_deny jump filter_FWDI_libvirt_allow jump filter_FWDI_libvirt_post accept } chain filter_FWDI_libvirt_pre { } chain filter_FWDI_libvirt_log { } chain filter_FWDI_libvirt_deny { } chain filter_FWDI_libvirt_allow { } chain filter_FWDI_libvirt_post { } chain filter_FWDO_libvirt { jump filter_FWDO_libvirt_pre jump filter_FWDO_libvirt_log jump filter_FWDO_libvirt_deny jump filter_FWDO_libvirt_allow jump filter_FWDO_libvirt_post accept } chain filter_FWDO_libvirt_pre { } chain filter_FWDO_libvirt_log { } chain filter_FWDO_libvirt_deny { } chain filter_FWDO_libvirt_allow { } chain filter_FWDO_libvirt_post { } chain raw_PRE_public { jump raw_PRE_public_pre jump raw_PRE_public_log jump raw_PRE_public_deny jump raw_PRE_public_allow jump raw_PRE_public_post } chain raw_PRE_public_pre { } chain raw_PRE_public_log { } chain raw_PRE_public_deny { } chain raw_PRE_public_allow { } chain raw_PRE_public_post { } chain filter_IN_public { jump filter_IN_public_pre jump filter_IN_public_log jump filter_IN_public_deny jump filter_IN_public_allow jump filter_IN_public_post meta l4proto { icmp, ipv6-icmp } accept } chain filter_IN_public_pre { } chain filter_IN_public_log { } chain filter_IN_public_deny { } chain filter_IN_public_allow { tcp dport 22 ct state { new, untracked } accept tcp dport 2049 ct state { new, untracked } accept tcp dport 53 ct state { new, untracked } accept udp dport 53 ct state { new, untracked } accept udp dport 67 ct state { new, untracked } accept udp dport 547 ct state { new, untracked } accept tcp dport 8080 ct state { new, untracked } accept tcp dport 8081 ct state { new, untracked } accept udp dport 5000 ct state { new, untracked } accept } chain filter_IN_public_post { } chain mangle_PRE_public { jump mangle_PRE_public_pre jump mangle_PRE_public_log jump mangle_PRE_public_deny jump mangle_PRE_public_allow jump mangle_PRE_public_post } chain mangle_PRE_public_pre { } chain mangle_PRE_public_log { } chain mangle_PRE_public_deny { } chain mangle_PRE_public_allow { } chain mangle_PRE_public_post { } chain filter_FWDI_public { jump filter_FWDI_public_pre jump filter_FWDI_public_log jump filter_FWDI_public_deny jump filter_FWDI_public_allow jump filter_FWDI_public_post meta l4proto { icmp, ipv6-icmp } accept } chain filter_FWDI_public_pre { } chain filter_FWDI_public_log { } chain filter_FWDI_public_deny { } chain filter_FWDI_public_allow { } chain filter_FWDI_public_post { } chain filter_FWDO_public { jump filter_FWDO_public_pre jump filter_FWDO_public_log jump filter_FWDO_public_deny jump filter_FWDO_public_allow jump filter_FWDO_public_post } chain filter_FWDO_public_pre { } chain filter_FWDO_public_log { } chain filter_FWDO_public_deny { } chain filter_FWDO_public_allow { } chain filter_FWDO_public_post { } chain raw_PRE_trusted { jump raw_PRE_trusted_pre jump raw_PRE_trusted_log jump raw_PRE_trusted_deny jump raw_PRE_trusted_allow jump raw_PRE_trusted_post } chain raw_PRE_trusted_pre { } chain raw_PRE_trusted_log { } chain raw_PRE_trusted_deny { } chain raw_PRE_trusted_allow { } chain raw_PRE_trusted_post { } chain mangle_PRE_trusted { jump mangle_PRE_trusted_pre jump mangle_PRE_trusted_log jump mangle_PRE_trusted_deny jump mangle_PRE_trusted_allow jump mangle_PRE_trusted_post } chain mangle_PRE_trusted_pre { } chain mangle_PRE_trusted_log { } chain mangle_PRE_trusted_deny { } chain mangle_PRE_trusted_allow { } chain mangle_PRE_trusted_post { } chain filter_IN_trusted { jump filter_IN_trusted_pre jump filter_IN_trusted_log jump filter_IN_trusted_deny jump filter_IN_trusted_allow jump filter_IN_trusted_post accept } chain filter_IN_trusted_pre { } chain filter_IN_trusted_log { } chain filter_IN_trusted_deny { } chain filter_IN_trusted_allow { } chain filter_IN_trusted_post { } chain filter_FWDI_trusted { jump filter_FWDI_trusted_pre jump filter_FWDI_trusted_log jump filter_FWDI_trusted_deny jump filter_FWDI_trusted_allow jump filter_FWDI_trusted_post accept } chain filter_FWDI_trusted_pre { } chain filter_FWDI_trusted_log { } chain filter_FWDI_trusted_deny { } chain filter_FWDI_trusted_allow { } chain filter_FWDI_trusted_post { } chain filter_FWDO_trusted { jump filter_FWDO_trusted_pre jump filter_FWDO_trusted_log jump filter_FWDO_trusted_deny jump filter_FWDO_trusted_allow jump filter_FWDO_trusted_post accept } chain filter_FWDO_trusted_pre { } chain filter_FWDO_trusted_log { } chain filter_FWDO_trusted_deny { } chain filter_FWDO_trusted_allow { } chain filter_FWDO_trusted_post { } } ``` [^CompareFirewalld]: **[Medium]** [Compare: Firewalld / Iptables / Nftables / Netfilter](https://medium.com/@iced_burn/compare-firewalld-iptables-nftables-netfilter-de08a8d21b5b) [^why-nftables]: **[The Urban Penguin]** [Why nftables?](https://www.theurbanpenguin.com/why-nftables/)