# In The Name Of Allah .
# -- --- ---- -- ----- -
# Fri Jan 22 05:48:48 2021
# Written By : zer0err0r .
# ======= == = ========= =

# 2, Lets Create A Basic SPI Firewall .
  = We will create a new [table], then a [chain], Then define our [rules] .
  = The ruleset that we will write represent a basic stateful_packet_inspection[SPI] firewall .

  # First, Create a table :
    $ nft add table inet filter

    # As you see :
      = We said that NFTables doesnt come with a predefined chains ,
      = So, It looks that it doesnt become with predefined tables too .
      = The previous line define a new table and name it [filter] .
      = You can change this name if you wanted too, But we want it to be similar to IPTables so it can be familier .

    # Also :
      = The [inet] represent ipv4 and ipv6 .

  
  # Then, Create a chain :
    $ nft add chain inet filter input { type filter hook input priority 0 \; policy accept \; }

    # As you see :
      = [input] is just a name for the chain, We called it that so it looks like the IPTables INPUT chain .
      = The semi_colon are escaped with back_slash to avoid being expanded by bash .
    
    # Also :
      = The chain [type] is set to [filter] .
      = Other values of [type] are [route, nat] .

      # Notice :
        = In IPTables, The table is the one that is defined as [filter, route, nat...] , 
        = In NFTables, We define this on the chain .

    # Also :
      = The [hook] family is set to [input] .
      = Other values of [hook] are [prerouting, forward, output, postrouting, ingress] .

    # Also :
      = [policy accept] represent the policy of this chain, Which [accept] all connections by default .
      = To drop we do [drop] .
      = Using [accept] instead of [drop] avoids terminating active SSH connections .

    # For more details about them go to :
      $ man nft

  
  # Finally, Lets create our ruleset :
    $ nft add rule inet filter input iif lo accept 
    $ nft add rule inet filter input ct state established,related accept
    $ nft add rule inet filter input tcp dport 22 accept
    $ nft add rule inet filter input counter drop

    # As you see :
      = This is a basic firewall ruleset .
      = Its the NFTables version of centos6 default stateful_packet_inspection[SPI] ruleset .

    # First line :
      = Allows traffic on loopback interface .

    # Second line :
      = Allows incoming[inbound] traffic based on outbound requests .

    # Third line :
      = Allows inbound SSH traffic on TCP port [22] .
      = This line allows [NEW] SSH connections instead of allowing only [established, related] SSH connections .

    # Fourth line :
      = [drop]s all remaining packets, And add a [count]er to view those packets .
  
  
  # Again, These are our NFTables commands :
    $ nft flush ruleset
    $ nft add table inet filter
    $ nft add chain inet filter input { type filter hook input priority 0 \; policy accept \; }
    $ nft add rule inet filter input iif lo accept 
    $ nft add rule inet filter input ct state established,related accept
    $ nft add rule inet filter input tcp dport 22 accept
    $ nft add rule inet filter input counter drop

    # In IPTables, This represent :
      $ iptables -P INPUT ACCEPT
      $ iptables -F
      $ iptables -A INPUT -i lo -j ACCEPT
      $ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      $ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
      $ iptables -P INPUT DROP
      $ iptables -P FORWARD DROP
      $ iptables -P OUTPUT ACCEPT


  # Then, Lets review them .
    $ nft list ruleset
      table inet filter {
        chain input {
          type filter hook input priority filter; policy accept;
          iif "lo" accept
          ct state established,related accept
          tcp dport 22 accept
          counter packets 14 bytes 1847 drop
        }
      }

# ===== == ==== ======== =
# Peace Be Up0n Muhammed .