nftables

README.md

@@ -0,0 +1,6 @@
+# Translate iptables to nftables
+`sudo bash -c "iptables-restore-translate -f iptables.up.rules > nftables.up.rules`
+
+# Load rules
+`nft -f nftables.up.rules`
+* For nftables no longer use "/etc/network/iuf-pre-up.d/", but modify "ExecStart" and "ExecReload" in "lib/systemd/system/nftables.service", or symlink the nftables.up.rules over "/etc/nftables.conf".

if-pre-up.d/iptables

@@ -1,3 +1,3 @@
 #!/bin/sh
-/sbin/iptables-restore /etc/iptables.up.rules
+/sbin/iptables-restore  /etc/netfilter-config/iptables.up.rules
 

if-pre-up.d/nftables

@@ -0,0 +1,3 @@
+#!/bin/sh
+/sbin/nft -f  /etc/netfilter-config/nftables.up.rules
+

iptables.up.rules

@@ -32,9 +32,9 @@
 #-A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 49152:65535 -j ACCEPT
 
 # SSH
--A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
--A INPUT -p tcp -m tcp --dport 22 -m limit --limit 5/min -m recent --rcheck --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "iptalbes dropped SSH flood: "
--A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+#-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
+#-A INPUT -p tcp -m tcp --dport 22 -m limit --limit 5/min -m recent --rcheck --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "iptalbes dropped SSH flood: "
+#-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 40 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
 -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
 -A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 22 -j ACCEPT
 
@@ -60,14 +60,14 @@
 -A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
 
 # HTTP & HTTPS
--A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name HTTP --rsource
--A INPUT -p tcp -m tcp --dport 80 -m recent --rcheck --seconds 30 --hitcount 20 --rttl --name HTTP --rsource -j LOG --log-prefix "iptables dropped HTTP flood: " --log-level 4
--A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 30 --hitcount 20 --rttl --name HTTP --rsource -j DROP
+#-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name HTTP --rsource
+#-A INPUT -p tcp -m tcp --dport 80 -m recent --rcheck --seconds 30 --hitcount 20 --rttl --name HTTP --rsource -j LOG --log-prefix "iptables dropped HTTP flood: " --log-level 4
+#-A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 30 --hitcount 20 --rttl --name HTTP --rsource -j DROP
 -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Tor dir port"
 -A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 80 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -m recent --set --name HTTPS --rsource
--A INPUT -p tcp -m tcp --dport 443 -m recent --rcheck --seconds 30 --hitcount 20 --rttl --name HTTPS --rsource -j LOG --log-prefix "iptables dropped HTTPS flood: " --log-level 4
--A INPUT -p tcp -m tcp --dport 443 -m recent --update --seconds 30 --hitcount 20 --rttl --name HTTPS --rsource -j DROP
+#-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -m recent --set --name HTTPS --rsource
+#-A INPUT -p tcp -m tcp --dport 443 -m recent --rcheck --seconds 30 --hitcount 20 --rttl --name HTTPS --rsource -j LOG --log-prefix "iptables dropped HTTPS flood: " --log-level 4
+#-A INPUT -p tcp -m tcp --dport 443 -m recent --update --seconds 30 --hitcount 20 --rttl --name HTTPS --rsource -j DROP
 -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Tor OR port"
 -A OUTPUT -p tcp -m tcp --sport 32768:65535 --dport 443 -j ACCEPT
 
@@ -85,7 +85,7 @@
 #-A OUTPUT -p tcp -m tcp --sport 57448:65535 --dport 1080 -j ACCEPT
 
 # OpenVPN
--A INPUT -p udp -m udp --sport 32768:65535 --dport 1194 -j ACCEPT -m comment --comment "OpenVPN"
+#-A INPUT -p udp -m udp --sport 32768:65535 --dport 1194 -j ACCEPT -m comment --comment "OpenVPN"
 
 # Multicast DNS
 #-A OUTPUT -p udp -m udp --sport 5353 --dport 5353 -j clutter

nftables.test.rules

@@ -0,0 +1,102 @@
+#!/usr/sbin/nft -f
+
+# Well known ports      0:1023
+# Registered ports      1024:49151
+# Goldielocks zone      32768:65535
+# Dynamic/Private       49152:65535
+#
+# WAN			86.83.121.29
+# vps			185.66.250.42
+# tor-exit		185.87.185.45
+
+# To preent double enries when loading rules when rule smight already be present.
+flush ruleset
+
+# IPv6 specific
+#add table ip6 filter
+#add chain ip6 filter INPUT { type filter hook input priority 0; policy accept; }
+#add chain ip6 filter FORWARD { type filter hook forward priority 0; policy accept; }
+#add chain ip6 filter OUTPUT { type filter hook output priority 0; policy accept; }
+#add chain ip6 filter clutter
+
+# inet = IPv4 & IPv6 combined
+add table inet filter
+add chain inet filter INPUT { type filter hook input priority 0; policy accept; }
+add chain inet filter FORWARD { type filter hook forward priority 0; policy accept; }
+add chain inet filter OUTPUT { type filter hook output priority 0; policy accept; }
+add chain inet filter clutter
+
+# Local loopback
+add rule inet filter INPUT iifname != "lo" ip daddr 127.0.0.0/8 limit rate 5/minute burst 5 packets counter log prefix "iptables dropped 127.0.0.0/8," level debug
+add rule inet filter INPUT iifname != "lo" ip daddr 127.0.0.0/8 counter drop
+add rule inet filter INPUT iifname "lo" counter accept
+add rule inet filter OUTPUT oifname "lo" counter accept
+
+# Active connections
+add rule inet filter INPUT ct state related,established counter accept
+add rule inet filter OUTPUT ct state related,established counter accept
+
+# ICMPv6 accept neighbour discovery otherwise IPv6 connectivity breaks | Accept dynamic IPv6 configuration (DHCP) | Accept sending of listenerreport
+add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type { nd-redirect, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+add rule inet filter OUTPUT ip6 nexthdr icmpv6 icmpv6 type { nd-redirect, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, echo-request, mld2-listener-report } accept # mld2-listener-report does not seem to work, TYPE 143 is not filtered out.
+add rule inet filter OUTPUT icmpv6 type { mld2-listener-report } accept	# Workaround for mld2-listener-report from the previous line
+
+# ICMP ping
+add rule inet filter OUTPUT icmp type echo-request counter accept
+
+# SSH
+add rule inet filter INPUT tcp sport 1024-65535 tcp dport 22 counter accept
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 22 counter accept
+
+# WHOIS
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 43 counter accept
+
+# DNS
+add rule inet filter OUTPUT udp sport 1024-65535 udp dport 53 counter accept
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 53 counter accept
+add rule inet filter INPUT udp sport 1024-65535 udp dport 53 counter accept
+add rule inet filter INPUT tcp sport 32768-65535 tcp dport 53 counter accept
+
+# DHCP client
+add rule inet filter INPUT ip daddr 255.255.255.255 udp sport 67 udp dport 68 counter accept
+add rule inet filter OUTPUT udp sport 68 udp dport 67 counter accept
+
+# HTTP(s)
+add rule inet filter INPUT tcp dport 80 counter accept
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 80 counter accept
+add rule inet filter INPUT tcp dport 443 counter accept
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 443 counter accept
+
+# NTP
+add rule inet filter OUTPUT udp sport 32768-65535 udp dport 123 counter accept
+
+# Privoxy
+add rule inet filter INPUT tcp sport 32768-65535 tcp dport 8118 counter accept comment "Privoxy"
+
+# OpenPGP HTTP Key servers
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 11371 counter accept comment "OpenPGP HTTP key servers"
+
+# Traceroute
+add rule inet filter OUTPUT udp sport 32768-65535 udp dport 6881-33534 counter accept comment "Traceroute"
+
+# Attacks, crawls, scans, etc to clutter chain
+add rule inet filter INPUT ip protocol icmp counter jump clutter
+add rule inet filter INPUT ip daddr 255.255.255.255 counter jump clutter comment "Broadcast messages"
+add rule inet filter INPUT udp dport 19 counter jump clutter comment "Character generator, looping to echo = DDoS"
+add rule inet filter INPUT tcp dport 23 counter jump clutter
+add rule inet filter INPUT udp dport 53 counter jump clutter
+add rule inet filter INPUT udp dport 111 counter jump clutter comment "Probe/fingerprint Nix OS"
+add rule inet filter INPUT tcp dport 445 counter jump clutter comment "MS-DS active directory"
+add rule inet filter INPUT tcp dport 2323 counter jump clutter comment "3d-nfsd"
+add rule inet filter INPUT udp dport 5060 counter jump clutter
+add rule inet filter INPUT tcp dport 3389 counter jump clutter comment "MS terminal server RDP"
+
+# Log & drop
+add rule inet filter INPUT limit rate 5/minute burst 5 packets counter log prefix "netfilter dropped: " level debug
+add rule inet filter INPUT counter drop
+add rule inet filter FORWARD limit rate 5/minute burst 5 packets counter log prefix "netfilter forward dropped: " level debug
+add rule inet filter FORWARD counter drop
+add rule inet filter OUTPUT limit rate 5/minute burst 5 packets counter log prefix "netfilter rejected: " level debug
+add rule inet filter OUTPUT counter reject
+add rule inet filter clutter limit rate 5/minute burst 5 packets counter log prefix "netfilter clutter dropped: " level debug
+add rule inet filter clutter counter drop

nftables.test.rules.save

@@ -0,0 +1,107 @@
+#!/usr/sbin/nft -f
+
+# Well known ports      0:1023
+# Registered ports      1024:49151
+# Goldielocks zone      32768:65535
+# Dynamic/Private       49152:65535
+#
+# WAN			86.83.121.29
+# vps			185.66.250.42
+# tor-exit		185.87.185.45
+
+# To preent double enries when loading rules when rule smight already be present.
+flush ruleset
+
+
+# IPv6 specific
+add table ip6 filter
+add chain ip6 filter INPUT { type filter hook input priority 0; policy accept; }
+add chain ip6 filter FORWARD { type filter hook forward priority 0; policy accept; }
+add chain ip6 filter OUTPUT { type filter hook output priority 0; policy accept; }
+#add chain ip6 filter clutter
+
+
+
+# IPv4 & IPv6 combined
+add table inet filter
+add chain inet filter INPUT { type filter hook input priority 0; policy accept; }
+add chain inet filter FORWARD { type filter hook forward priority 0; policy accept; }
+add chain inet filter OUTPUT { type filter hook output priority 0; policy accept; }
+add chain inet filter clutter
+
+# Accept neighbour discovery otherwise IPv6 connectivity breaks
+add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type { nd-redirect, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept # nd-redirect might not be required
+
+#  accept dynamic IPv6 configuration and neighbor discovery
+add rule ip6 filter INPUT icmpv6 type nd-neighbor-solicit accept
+add rule ip6 filter INPUT icmpv6 type nd-router-advert accept
+
+# Local loopback
+add rule inet filter INPUT iifname != "lo" ip daddr 127.0.0.0/8 limit rate 5/minute burst 5 packets counter log prefix "iptables dropped 127.0.0.0/8," level debug
+add rule inet filter INPUT iifname != "lo" ip daddr 127.0.0.0/8 counter drop
+add rule inet filter INPUT iifname "lo" counter accept
+add rule inet filter OUTPUT oifname "lo" counter accept
+
+# Active connections
+add rule inet filter INPUT ct state related,established counter accept
+add rule inet filter OUTPUT ct state related,established counter accept
+
+# ICMP ping
+add rule inet filter OUTPUT icmp type echo-request counter accept
+
+# SSH
+add rule inet filter INPUT tcp sport 1024-65535 tcp dport 22 counter accept
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 22 counter accept
+
+# WHOIS
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 43 counter accept
+
+# DNS
+add rule inet filter OUTPUT udp sport 1024-65535 udp dport 53 counter accept
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 53 counter accept
+add rule inet filter INPUT udp sport 1024-65535 udp dport 53 counter accept
+add rule inet filter INPUT tcp sport 32768-65535 tcp dport 53 counter accept
+
+# DHCP client
+add rule inet filter INPUT ip daddr 255.255.255.255 udp sport 67 udp dport 68 counter accept
+add rule inet filter OUTPUT udp sport 68 udp dport 67 counter accept
+
+# HTTP(s)
+add rule inet filter INPUT tcp dport 80 counter accept
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 80 counter accept
+add rule inet filter INPUT tcp dport 443 counter accept
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 443 counter accept
+
+# NTP
+add rule inet filter OUTPUT udp sport 32768-65535 udp dport 123 counter accept
+
+# Privoxy
+add rule inet filter INPUT tcp sport 32768-65535 tcp dport 8118 counter accept comment "Privoxy"
+
+# OpenPGP HTTP Key servers
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 11371 counter accept comment "OpenPGP HTTP key servers"
+
+# Traceroute
+add rule inet filter OUTPUT udp sport 32768-65535 udp dport 6881-33534 counter accept comment "Traceroute"
+
+# Attacks, crawls, scans, etc to clutter chain
+add rule inet filter INPUT ip protocol icmp counter jump clutter
+add rule inet filter INPUT ip daddr 255.255.255.255 counter jump clutter comment "Broadcast messages"
+add rule inet filter INPUT udp dport 19 counter jump clutter comment "Character generator, looping to echo = DDoS"
+add rule inet filter INPUT tcp dport 23 counter jump clutter
+add rule inet filter INPUT udp dport 53 counter jump clutter
+add rule inet filter INPUT udp dport 111 counter jump clutter comment "Probe/fingerprint Nix OS"
+add rule inet filter INPUT tcp dport 445 counter jump clutter comment "MS-DS active directory"
+add rule inet filter INPUT tcp dport 2323 counter jump clutter comment "3d-nfsd"
+add rule inet filter INPUT udp dport 5060 counter jump clutter
+add rule inet filter INPUT tcp dport 3389 counter jump clutter comment "MS terminal server RDP"
+
+# Log & drop
+add rule inet filter INPUT limit rate 5/minute burst 5 packets counter log prefix "iptables dropped: " level debug
+add rule inet filter INPUT counter drop
+add rule inet filter FORWARD limit rate 5/minute burst 5 packets counter log prefix "iptables forward dropped: " level debug
+add rule inet filter FORWARD counter drop
+add rule inet filter OUTPUT limit rate 5/minute burst 5 packets counter log prefix "iptables rejected: " level debug
+add rule inet filter OUTPUT counter reject
+add rule inet filter clutter limit rate 5/minute burst 5 packets counter log prefix "iptables clutter dropped: " level debug
+add rule inet filter clutter counter drop

nftables.up.rules

@@ -0,0 +1,102 @@
+#!/usr/sbin/nft -f
+
+# Well known ports      0:1023
+# Registered ports      1024:49151
+# Goldielocks zone      32768:65535
+# Dynamic/Private       49152:65535
+#
+# WAN			86.83.121.29
+# vps			185.66.250.42
+# tor-exit		185.87.185.45
+
+# To preent double enries when loading rules when rule smight already be present.
+flush ruleset
+
+# IPv6 specific
+#add table ip6 filter
+#add chain ip6 filter INPUT { type filter hook input priority 0; policy accept; }
+#add chain ip6 filter FORWARD { type filter hook forward priority 0; policy accept; }
+#add chain ip6 filter OUTPUT { type filter hook output priority 0; policy accept; }
+#add chain ip6 filter clutter
+
+# inet = IPv4 & IPv6 combined
+add table inet filter
+add chain inet filter INPUT { type filter hook input priority 0; policy accept; }
+add chain inet filter FORWARD { type filter hook forward priority 0; policy accept; }
+add chain inet filter OUTPUT { type filter hook output priority 0; policy accept; }
+add chain inet filter clutter
+
+# Local loopback
+add rule inet filter INPUT iifname != "lo" ip daddr 127.0.0.0/8 limit rate 5/minute burst 5 packets counter log prefix "iptables dropped 127.0.0.0/8," level debug
+add rule inet filter INPUT iifname != "lo" ip daddr 127.0.0.0/8 counter drop
+add rule inet filter INPUT iifname "lo" counter accept
+add rule inet filter OUTPUT oifname "lo" counter accept
+
+# Active connections
+add rule inet filter INPUT ct state related,established counter accept
+add rule inet filter OUTPUT ct state related,established counter accept
+
+# ICMPv6 accept neighbour discovery otherwise IPv6 connectivity breaks | Accept dynamic IPv6 configuration (DHCP) | Accept sending of listenerreport
+add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type { nd-redirect, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+add rule inet filter OUTPUT ip6 nexthdr icmpv6 icmpv6 type { nd-redirect, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, echo-request, mld2-listener-report } accept # mld2-listener-report does not seem to work, TYPE 143 is not filtered out.
+add rule inet filter OUTPUT icmpv6 type { mld2-listener-report } accept	# Workaround for mld2-listener-report from the previous line
+
+# ICMP ping
+add rule inet filter OUTPUT icmp type echo-request counter accept
+
+# SSH
+add rule inet filter INPUT tcp sport 1024-65535 tcp dport 22 counter accept
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 22 counter accept
+
+# WHOIS
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 43 counter accept
+
+# DNS
+add rule inet filter OUTPUT udp sport 1024-65535 udp dport 53 counter accept
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 53 counter accept
+add rule inet filter INPUT udp sport 1024-65535 udp dport 53 counter accept
+add rule inet filter INPUT tcp sport 32768-65535 tcp dport 53 counter accept
+
+# DHCP client
+add rule inet filter INPUT ip daddr 255.255.255.255 udp sport 67 udp dport 68 counter accept
+add rule inet filter OUTPUT udp sport 68 udp dport 67 counter accept
+
+# HTTP(s)
+add rule inet filter INPUT tcp dport 80 counter accept
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 80 counter accept
+add rule inet filter INPUT tcp dport 443 counter accept
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 443 counter accept
+
+# NTP
+add rule inet filter OUTPUT udp sport 32768-65535 udp dport 123 counter accept
+
+# Privoxy
+add rule inet filter INPUT tcp sport 32768-65535 tcp dport 8118 counter accept comment "Privoxy"
+
+# OpenPGP HTTP Key servers
+add rule inet filter OUTPUT tcp sport 32768-65535 tcp dport 11371 counter accept comment "OpenPGP HTTP key servers"
+
+# Traceroute
+add rule inet filter OUTPUT udp sport 32768-65535 udp dport 6881-33534 counter accept comment "Traceroute"
+
+# Attacks, crawls, scans, etc to clutter chain
+add rule inet filter INPUT ip protocol icmp counter jump clutter
+add rule inet filter INPUT ip daddr 255.255.255.255 counter jump clutter comment "Broadcast messages"
+add rule inet filter INPUT udp dport 19 counter jump clutter comment "Character generator, looping to echo = DDoS"
+add rule inet filter INPUT tcp dport 23 counter jump clutter
+add rule inet filter INPUT udp dport 53 counter jump clutter
+add rule inet filter INPUT udp dport 111 counter jump clutter comment "Probe/fingerprint Nix OS"
+add rule inet filter INPUT tcp dport 445 counter jump clutter comment "MS-DS active directory"
+add rule inet filter INPUT tcp dport 2323 counter jump clutter comment "3d-nfsd"
+add rule inet filter INPUT udp dport 5060 counter jump clutter
+add rule inet filter INPUT tcp dport 3389 counter jump clutter comment "MS terminal server RDP"
+
+# Log & drop
+add rule inet filter INPUT limit rate 5/minute burst 5 packets counter log prefix "netfilter dropped: " level debug
+add rule inet filter INPUT counter drop
+add rule inet filter FORWARD limit rate 5/minute burst 5 packets counter log prefix "netfilter forward dropped: " level debug
+add rule inet filter FORWARD counter drop
+add rule inet filter OUTPUT limit rate 5/minute burst 5 packets counter log prefix "netfilter rejected: " level debug
+add rule inet filter OUTPUT counter reject
+add rule inet filter clutter limit rate 5/minute burst 5 packets counter log prefix "netfilter clutter dropped: " level debug
+add rule inet filter clutter counter drop

rsyslog.d/30-iptables.conf

@@ -1,30 +1,30 @@
 if  ($syslogfacility-text == 'kern') and \\
 ($msg contains ' iptables ') \\
-then    -/var/log/iptables/all.log
+then    -/var/log/netfilter/all.log
 #    &   ~
 
 if  ($syslogfacility-text == 'kern') and \\
 ($msg contains ' iptables dropped') \\
-then    -/var/log/iptables/drop.log
+then    -/var/log/netfilter/drop.log
 #    &   ~
 
 if  ($syslogfacility-text == 'kern') and \\
 ($msg contains ' iptables rejected') \\
-then    -/var/log/iptables/reject.log
+then    -/var/log/netfilter/reject.log
 #    &   ~
 
 if  ($syslogfacility-text == 'kern') and \\
 ($msg contains ' iptables ' and $msg contains ' DHCP') \\
-then    -/var/log/iptables/dhcp.log
+then    -/var/log/netfilter/dhcp.log
 #    &   ~
 
 iptables allowed DHCP
 if  ($syslogfacility-text == 'kern') and \\
 ($msg contains ' iptables dropped' or $msg contains ' iptables rejected') \\
-then    -/var/log/iptables/troubleshooot.log
+then    -/var/log/netfilter/troubleshooot.log
 #    &   ~
 
 if  ($syslogfacility-text == 'kern') and \\
 ($msg contains ' iptables clutter') \\
-then    -/var/log/iptables/clutter.log
+then    -/var/log/netfilter/clutter.log
 #    &   ~

rsyslog.d/30-nftables.conf

@@ -0,0 +1,30 @@
+if  ($syslogfacility-text == 'kern') and \\
+($msg contains ' netfilter ') \\
+then    -/var/log/netfilter/all.log
+#    &   ~
+
+if  ($syslogfacility-text == 'kern') and \\
+($msg contains ' netfilter dropped') \\
+then    -/var/log/netfilter/drop.log
+#    &   ~
+
+if  ($syslogfacility-text == 'kern') and \\
+($msg contains ' netfilter rejected') \\
+then    -/var/log/netfilter/reject.log
+#    &   ~
+
+if  ($syslogfacility-text == 'kern') and \\
+($msg contains ' netfilter ' and $msg contains ' DHCP') \\
+then    -/var/log/netfilter/dhcp.log
+#    &   ~
+
+iptables allowed DHCP
+if  ($syslogfacility-text == 'kern') and \\
+($msg contains ' netfilter dropped' or $msg contains ' netfilter rejected') \\
+then    -/var/log/netfilter/troubleshooot.log
+#    &   ~
+
+if  ($syslogfacility-text == 'kern') and \\
+($msg contains ' netfilter clutter') \\
+then    -/var/log/netfilter/clutter.log
+#    &   ~