<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://wiki.scott5.org/index.php?action=history&amp;feed=atom&amp;title=Nftables</id>
	<title>Nftables - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://wiki.scott5.org/index.php?action=history&amp;feed=atom&amp;title=Nftables"/>
	<link rel="alternate" type="text/html" href="https://wiki.scott5.org/index.php?title=Nftables&amp;action=history"/>
	<updated>2026-07-03T20:34:40Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.43.1</generator>
	<entry>
		<id>https://wiki.scott5.org/index.php?title=Nftables&amp;diff=1870&amp;oldid=prev</id>
		<title>Scott: /* TRAVEL SCENARIO: my current IP can&#039;t SSH in */</title>
		<link rel="alternate" type="text/html" href="https://wiki.scott5.org/index.php?title=Nftables&amp;diff=1870&amp;oldid=prev"/>
		<updated>2026-07-02T22:56:25Z</updated>

		<summary type="html">&lt;p&gt;&lt;span class=&quot;autocomment&quot;&gt;TRAVEL SCENARIO: my current IP can&amp;#039;t SSH in&lt;/span&gt;&lt;/p&gt;
&lt;table style=&quot;background-color: #fff; color: #202122;&quot; data-mw=&quot;interface&quot;&gt;
				&lt;col class=&quot;diff-marker&quot; /&gt;
				&lt;col class=&quot;diff-content&quot; /&gt;
				&lt;col class=&quot;diff-marker&quot; /&gt;
				&lt;col class=&quot;diff-content&quot; /&gt;
				&lt;tr class=&quot;diff-title&quot; lang=&quot;en&quot;&gt;
				&lt;td colspan=&quot;2&quot; style=&quot;background-color: #fff; color: #202122; text-align: center;&quot;&gt;← Older revision&lt;/td&gt;
				&lt;td colspan=&quot;2&quot; style=&quot;background-color: #fff; color: #202122; text-align: center;&quot;&gt;Revision as of 22:56, 2 July 2026&lt;/td&gt;
				&lt;/tr&gt;&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l49&quot;&gt;Line 49:&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Line 49:&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;Options, in order of preference:&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;Options, in order of preference:&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;# &#039;&#039;&#039;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;UCI &lt;/del&gt;VPN&#039;&#039;&#039; — connect, then SSH from the VPN address (&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;10.0.0.0/8 and &lt;/del&gt;campus ranges are in &amp;lt;code&amp;gt;$ssh_nets_v4&amp;lt;/code&amp;gt;).&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;# &#039;&#039;&#039;VPN&#039;&#039;&#039; — connect, then SSH from the VPN address (campus ranges are in &amp;lt;code&amp;gt;$ssh_nets_v4&amp;lt;/code&amp;gt;).&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;# &amp;#039;&amp;#039;&amp;#039;IPMI console&amp;#039;&amp;#039;&amp;#039; — log in via BMC, then fix from the console.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;# &amp;#039;&amp;#039;&amp;#039;IPMI console&amp;#039;&amp;#039;&amp;#039; — log in via BMC, then fix from the console.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;# &amp;#039;&amp;#039;&amp;#039;Temporary runtime rule&amp;#039;&amp;#039;&amp;#039; from the console (does NOT survive reload/reboot):&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;# &amp;#039;&amp;#039;&amp;#039;Temporary runtime rule&amp;#039;&amp;#039;&amp;#039; from the console (does NOT survive reload/reboot):&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;</summary>
		<author><name>Scott</name></author>
	</entry>
	<entry>
		<id>https://wiki.scott5.org/index.php?title=Nftables&amp;diff=1868&amp;oldid=prev</id>
		<title>Scott: Created page with &quot;= nftables Cheat Sheet =  Config: &lt;code&gt;/etc/nftables.conf&lt;/code&gt; · table &lt;code&gt;inet filter&lt;/code&gt; · chains &lt;code&gt;input&lt;/code&gt; / &lt;code&gt;forward&lt;/code&gt; / &lt;code&gt;output&lt;/code&gt;  Input policy is &#039;&#039;&#039;drop&#039;&#039;&#039;; SSH allowed only from &lt;code&gt;$ssh_nets_v4&lt;/code&gt;.  Out-of-band rescue: IPMI/BMC console (H5Viewer or Serial-over-LAN).  == Everyday commands ==  &lt;syntaxhighlight lang=&quot;bash&quot;&gt; # Syntax-check the config WITHOUT applying (always do this first) sudo nft -c -f /etc/nftables.con...&quot;</title>
		<link rel="alternate" type="text/html" href="https://wiki.scott5.org/index.php?title=Nftables&amp;diff=1868&amp;oldid=prev"/>
		<updated>2026-07-02T22:49:24Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;= nftables Cheat Sheet =  Config: &amp;lt;code&amp;gt;/etc/nftables.conf&amp;lt;/code&amp;gt; · table &amp;lt;code&amp;gt;inet filter&amp;lt;/code&amp;gt; · chains &amp;lt;code&amp;gt;input&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;forward&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;output&amp;lt;/code&amp;gt;  Input policy is &amp;#039;&amp;#039;&amp;#039;drop&amp;#039;&amp;#039;&amp;#039;; SSH allowed only from &amp;lt;code&amp;gt;$ssh_nets_v4&amp;lt;/code&amp;gt;.  Out-of-band rescue: IPMI/BMC console (H5Viewer or Serial-over-LAN).  == Everyday commands ==  &amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt; # Syntax-check the config WITHOUT applying (always do this first) sudo nft -c -f /etc/nftables.con...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;= nftables Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
Config: &amp;lt;code&amp;gt;/etc/nftables.conf&amp;lt;/code&amp;gt; · table &amp;lt;code&amp;gt;inet filter&amp;lt;/code&amp;gt; · chains &amp;lt;code&amp;gt;input&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;forward&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;output&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Input policy is &amp;#039;&amp;#039;&amp;#039;drop&amp;#039;&amp;#039;&amp;#039;; SSH allowed only from &amp;lt;code&amp;gt;$ssh_nets_v4&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Out-of-band rescue: IPMI/BMC console (H5Viewer or Serial-over-LAN).&lt;br /&gt;
&lt;br /&gt;
== Everyday commands ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Syntax-check the config WITHOUT applying (always do this first)&lt;br /&gt;
sudo nft -c -f /etc/nftables.conf&lt;br /&gt;
&lt;br /&gt;
# Check + reload in one line (reload only runs if check passes)&lt;br /&gt;
sudo nft -c -f /etc/nftables.conf &amp;amp;&amp;amp; sudo systemctl reload nftables&lt;br /&gt;
&lt;br /&gt;
# Show the live ruleset&lt;br /&gt;
sudo nft list ruleset&lt;br /&gt;
&lt;br /&gt;
# Show live ruleset WITH handles (needed for deleting single rules)&lt;br /&gt;
sudo nft -a list ruleset&lt;br /&gt;
&lt;br /&gt;
# Just the input chain&lt;br /&gt;
sudo nft list chain inet filter input&lt;br /&gt;
&lt;br /&gt;
# Service status / enabled at boot?&lt;br /&gt;
systemctl status nftables&lt;br /&gt;
systemctl is-enabled nftables&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Am I being firewalled? (diagnosis) ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Watch the drop log live (rules log with prefix &amp;quot;nft drop: &amp;quot;)&lt;br /&gt;
sudo journalctl -kf | grep &amp;#039;nft drop&amp;#039;&lt;br /&gt;
&lt;br /&gt;
# Recent drops&lt;br /&gt;
sudo journalctl -k --since &amp;quot;1 hour ago&amp;quot; | grep &amp;#039;nft drop&amp;#039;&lt;br /&gt;
&lt;br /&gt;
# Counters: add a counter to a rule temporarily, or check conntrack&lt;br /&gt;
sudo conntrack -L | grep &amp;lt;ip&amp;gt;        # is there an established session?&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Remember: broadcast/multicast is dropped &amp;#039;&amp;#039;&amp;#039;silently&amp;#039;&amp;#039;&amp;#039; (no log). Everything else that&amp;#039;s dropped is logged at max 5/minute — absence of log lines does not mean absence of drops during a flood.&lt;br /&gt;
&lt;br /&gt;
== TRAVEL SCENARIO: my current IP can&amp;#039;t SSH in ==&lt;br /&gt;
&lt;br /&gt;
Options, in order of preference:&lt;br /&gt;
&lt;br /&gt;
# &amp;#039;&amp;#039;&amp;#039;UCI VPN&amp;#039;&amp;#039;&amp;#039; — connect, then SSH from the VPN address (10.0.0.0/8 and campus ranges are in &amp;lt;code&amp;gt;$ssh_nets_v4&amp;lt;/code&amp;gt;).&lt;br /&gt;
# &amp;#039;&amp;#039;&amp;#039;IPMI console&amp;#039;&amp;#039;&amp;#039; — log in via BMC, then fix from the console.&lt;br /&gt;
# &amp;#039;&amp;#039;&amp;#039;Temporary runtime rule&amp;#039;&amp;#039;&amp;#039; from the console (does NOT survive reload/reboot):&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Allow one address into SSH, inserted before the drop logic takes effect&lt;br /&gt;
sudo nft insert rule inet filter input ip saddr &amp;lt;MY.IP.ADDR.HERE&amp;gt;/32 tcp dport 22 ct state new accept&lt;br /&gt;
&lt;br /&gt;
# Verify&lt;br /&gt;
sudo nft list chain inet filter input&lt;br /&gt;
&lt;br /&gt;
# Remove it later: find its handle, then delete&lt;br /&gt;
sudo nft -a list chain inet filter input&lt;br /&gt;
sudo nft delete rule inet filter input handle &amp;lt;N&amp;gt;&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
For a permanent change, edit &amp;lt;code&amp;gt;$ssh_nets_v4&amp;lt;/code&amp;gt; in &amp;lt;code&amp;gt;/etc/nftables.conf&amp;lt;/code&amp;gt;, check, reload (see above). Runtime rules are lost on the next &amp;lt;code&amp;gt;reload&amp;lt;/code&amp;gt; because the config starts with &amp;lt;code&amp;gt;flush ruleset&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Emergency: firewall is broken / I need it out of the way ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# From the IPMI console ONLY — this leaves the box wide open:&lt;br /&gt;
sudo nft flush ruleset&lt;br /&gt;
&lt;br /&gt;
# Restore known-good config&lt;br /&gt;
sudo nft -c -f /etc/nftables.conf &amp;amp;&amp;amp; sudo nft -f /etc/nftables.conf&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Reload interactions ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;code&amp;gt;flush ruleset&amp;lt;/code&amp;gt; (any reload) &amp;#039;&amp;#039;&amp;#039;wipes fail2ban&amp;#039;s ban sets&amp;#039;&amp;#039;&amp;#039; too. Restore them: &amp;lt;code&amp;gt;sudo systemctl restart fail2ban&amp;lt;/code&amp;gt;&lt;br /&gt;
* Established connections (incl. your live SSH session) survive reloads — they match &amp;lt;code&amp;gt;ct state established&amp;lt;/code&amp;gt;, not the &amp;lt;code&amp;gt;new&amp;lt;/code&amp;gt; rules.&lt;br /&gt;
&lt;br /&gt;
== After-reboot sanity check ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
systemctl is-active nftables &amp;amp;&amp;amp; sudo nft list ruleset | head -20&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Empty ruleset after boot = config failed to parse = sshd exposed to everything. Check &amp;lt;code&amp;gt;journalctl -u nftables -b&amp;lt;/code&amp;gt; for the parse error.&lt;br /&gt;
&lt;br /&gt;
== Config gotchas (this file specifically) ==&lt;br /&gt;
&lt;br /&gt;
* Comment block and &amp;lt;code&amp;gt;define ssh_nets_v4&amp;lt;/code&amp;gt; must be kept in sync — every CIDR needs a documented reason.&lt;br /&gt;
* ICMPv6 rules are load-bearing: IPv6 breaks without NDP/PMTU. Don&amp;#039;t trim.&lt;br /&gt;
* &amp;lt;code&amp;gt;output&amp;lt;/code&amp;gt; policy is accept (egress open) — intentional, matches old script.&lt;br /&gt;
* SSH rate-limiting is fail2ban&amp;#039;s job, not nft&amp;#039;s. Don&amp;#039;t add limit rules to the SSH accept line; they&amp;#039;ll fight with ThinLinc multi-connections.&lt;br /&gt;
&lt;br /&gt;
[[Category:Sysadmin]]&lt;br /&gt;
[[Category:Cheat sheets]]&lt;/div&gt;</summary>
		<author><name>Scott</name></author>
	</entry>
</feed>