Additional firewall filters via nftables

In addition to the PLCnext Technology filter table, you can activate other filter tables. This might be necessary if you require certain functions that are not supported by the firewall configuration via the WBM.

This additional configuration is implemented via independent filter tables. You have to create the required functions via nftables commands. For this, you can edit a rule set in Linux using a text editor or load the file to the PC and change it.

For detailed information on this Linux feature, refer to the nftables documentation.

Here you see a set of firewall filter files that is present in the /etc/nftables directory on a PLCnext Control:

nftables files

Displaying active firewall filters

If an additional filter table is active, this is displayed as a warning message in the System Message area. The warning contains the designations of all additionally loaded filter tables.

To display all the activated filter tables by clicking on Show Rules in the System Status area of the WBM.

Here you see a setup with two active filter settings:

more than on active filter file

Configuring the firewall with an additional filter via nftables

If you wish to configure the firewall with additional filter tables, you need the admin user role with the command sudo.

nftables is administered via shell by these commands:

Command Description
nft list tables List all active filter tables
nft delete/flush/list table <table> Delete/empty/list a filter table
Example for emptying a filter table:
admin@device:/dir$ sudo nft flush table loadfilter
nft flush ruleset Delete all active filter settings

nft list table <table> --handle


nft delete rule [<family>] <table> <chain> [handle <handle>]
Delete a predefined rule by means of its handle number. First, use the command on the left to list the handle numbers of the present rules.
Example:
admin@device:/dir$ sudo nft list table loadfilter --handle
Then you can delete the desired rule via its handle number.
Example:
admin@device:/dir$ sudo nft delete rule filter input handle 90
nft -f <filter-file> Load the content of a filter table from a file
Example:
admin@device:/dir$ sudo nft -f loadfilter.rules
nft list table <table> > <file> Save the content of a filter table to a file
Example: admin@device:/dir$ sudo nft list table loadfilter > loadfilter.rules

 

Implementing an additional filter table

Note: To issue the following commands, you need the Admin user role with the command sudo, or access to the controller with root rights. 

 

  • Empty the active rules configuration by entering this command in the shell:
    nft flush ruleset
  • Create another independent filter table using command
    nft add table <family> <tablename>
    Example:
    admin@device:/dir$ sudo nft add table ip loadfilter
  • Add an Input Chain of filter type and a hook input to the created table.
    Use the following command:
    nft add chain [<family>] <table> <name> { type <type> hook <hook> [device <device>] priority <priority> \; }
    Example:
    admin@device:/dir$ sudo nft add chain ip loadfilter input_limiter { type filter hook input priority 0 \; }
  • Limit the network load:
    • Limit the number of packets and indicate the parameters (icmp, tcp, udp, udplite, ip).
      Example: admin@device:/dir$ sudo nft add rule loadfilter input_limiter icmp type echo-request limit rate 10/second accept
    • Limit the data rate (bytes/second, mbytes/second, mbytes/minute).
      Examples:
      admin@device:/dir$ sudo nft add rule loadfilter input_limiter limit rate 10 mbytes/second accept
      or
      admin@device:/dir$ sudo nft add rule loadfilter input_limiter limit rate over 10 mbytes/second drop
  • When adding a rule, select the Ethernet interface, to which the rule is to be applied with iif <network interface>.
    Example:admin@device:/dir$ sudo nft add rule loadfilter input_limiter iif eth0 icmp type echo-request limit rate over 100bytes/minute drop
  • To count packets or display the throughput of bytes, use one of the following commands:
    • For all incoming packets:
      nft add rule <table> <chain> counter 
      Example:
      admin@device:/dir$ sudo nft add rule loadfilter input_limiter counter
      Note:
      For  Accept action: Accepted packets are counted.
      For  Drop action: Blocked (dropped) packets are counted.
    • For a certain protocol:
      nft add rule <table> <chain> counter ip protocol <protocol>
      Example:
      admin@device:/dir$ sudo nft add rule loadfilter
  • To drop or accept the data traffic for a certain protocol, use the following commands:
    nft add rule <table> <chain> ip protocol <protocol> accept/drop
    Example:
    admin@device:/dir$ sudo nft add rule loadfilter input_limiter ip protocol udp accept
    or
    admin@device:/dir$ sudo nft add rule loadfilter input_limiter ip protocol udplite drop

Example of a simple filter file:

table ip loadfilter {
    chain input_limiter {
        type filter hook input priority 0; policy drop
        icmp type echo-request accept
        tcp dport ssh accept  comment "allow ssh for remote access"
    }
    chain output_limiter {
        type filter hook output priority 0; policy drop;
        icmp type echo-request accept
    }
}

Related Topics

  1. Security - Firewall