Additional firewall filters via nftables

In addition to the PLCnext Technology filter table, you can activate other filter tables. This might be necessary if you require certain functions that are not supported by the firewall configuration via the WBM.

This additional configuration is implemented via independent filter tables. You have to create the required functions vianftables commands. For this, you can edit a rule set in Linux using a text editor or load the file to the PC and change it.

For detailed information on this Linux feature, refer to the nftables documentation.

Here you see a set of firewall filter files that is present in the /etc/nftables directory on a PLCnext Control:

Displaying active firewall filters

If an additional filter table is active, this is displayed as a warning message in the System Message area. The warning contains the designations of all additionally loaded filter tables.

To display all the activated filter tables by clicking on Show Rules in the System Status area of the WBM.

Here you see a setup with two active filter settings:

Configuring the firewall with an additional filter via nftables

If you wish to configure the firewall with additional filter tables, you need the admin user role with the command sudo.

nftables is administered via shell by these commands:

Implementing an additional filter table

• Empty the active rules configuration by entering this command in the shell:
  nft flush ruleset
• Create another independent filter table using command
  nft add table <family> <tablename>
  Example:
  admin@device:/dir$ sudo nft add table ip loadfilter
• Add an Input Chain of filter type and a hook input to the created table.
  Use the following command:
  nft add chain [<family>] <table> <name> { type <type> hook <hook> [device <device>] priority <priority> \; }
  Example:
  admin@device:/dir$ sudo nft add chain ip loadfilter input_limiter { type filter hook input priority 0 \; }
• Limit the network load:
  • Limit the number of packets and indicate the parameters (icmp, tcp, udp, udplite, ip).
    Example: admin@device:/dir$ sudo nft add rule loadfilter input_limiter icmp type echo-request limit rate 10/second accept
  • Limit the data rate (bytes/second, mbytes/second, mbytes/minute).
    Examples:
    admin@device:/dir$ sudo nft add rule loadfilter input_limiter limit rate 10 mbytes/second accept
    or
    admin@device:/dir$ sudo nft add rule loadfilter input_limiter limit rate over 10 mbytes/second drop
• When adding a rule, select the Ethernet interface, to which the rule is to be applied with iif <network interface>.
  Example:admin@device:/dir$ sudo nft add rule loadfilter input_limiter iif eth0 icmp type echo-request limit rate over 100bytes/minute drop
• To count packets or display the throughput of bytes, use one of the following commands:
  • For all incoming packets:
    nft add rule <table> <chain> counter 
    Example:
    admin@device:/dir$ sudo nft add rule loadfilter input_limiter counter
    Note:
    For Accept action: Accepted packets are counted.
    For Drop action: Blocked (dropped) packets are counted.
  • For a certain protocol:
    nft add rule <table> <chain> counter ip protocol <protocol>
    Example:
    admin@device:/dir$ sudo nft add rule loadfilter
• To drop or accept the data traffic for a certain protocol, use the following commands:
  nft add rule <table> <chain> ip protocol <protocol> accept/drop
  Example:
  admin@device:/dir$ sudo nft add rule loadfilter input_limiter ip protocol udp accept
  or
  admin@device:/dir$ sudo nft add rule loadfilter input_limiter ip protocol udplite drop

Example of a simple filter file:

table ip loadfilter {
    chain input_limiter {
        type filter hook input priority 0; policy drop
        icmp type echo-request accept
        tcp dport ssh accept  comment "allow ssh for remote access"
    }
    chain output_limiter {
        type filter hook output priority 0; policy drop;
        icmp type echo-request accept
    }
}