What is nftables?
Reading the wiki we learn that nftables is the firewall of the linux kernel. Being the succesor of iptables, the great.
Nftables is available on kernel version 3.13 or newer so keep that it mind
Why nftables?
It is true that there are firewall front ends like firewalld or ufw that may be easier to understand but we need to understand that they are running nftables on the background.
So if you are trying to understand how the firewall works or you just want to make complex rules you shoudl try nftables.
How to use it?
First of all we need to be sure that there is no other firewall running, in case ther is one, deactivate.
Nftables works with tables, chains and rules being one inside the other. In the initial config you may have in /etc/nftables.conf
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
We can also get the output with the nft cli utility.
nft list ruleset
The default rules are clear, accept all. As you probably guessed, this is not the optimal configuration in case of security and practicity.
In the example, everityhing is inside the table named “filter” of inet type. This means it apply a filter to both ipv4 and ipv6. Inside the table there are different chains, input, forward and output, all having accept as default policy.
Lets suppose we wanted to block port 80:
nft add rule inet filter input tcp dport 80 deny
And lets know block port 22 to a certain ip:
nft add rule inet filter input ip saddr 8.8.8.8 tcp dport 22 deny
As we can see the structure for this rules is:
nft add rule [family] [table] [chain] [declaration]
Printing the ruleset after the rules applied we get:
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
tcp dport 80 deny
ip saddr 8.8.8.8 tcp dport 22 deny
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
Easy no? And what if we wanted to delete one?
We should know that each line has a handle, we can print it with
ntf -a list ruleset
Getting:
table inet filter { # handle 4
chain input { # handle 1
type filter hook input priority filter; policy accept;
tcp dport 80 deny # handle 5
ip saddr 8.8.8.8 tcp dport 22 deny # handle 6
}
chain forward { # handle 2
type filter hook forward priority filter; policy accept;
}
chain output { # handle 3
type filter hook output priority filter; policy accept;
}
}
Once with the rule number we can delete it with the command:
nft delete rule [family] [table] [chain] handle [number]
For example:
nft delete rule inet filter input handle 5
This is great, but wait a second, this is just in runtime, in case of a reboot the configuration will be lost. We need to save it in /etc/nftables.conf
nftables.conf example
This is a great example blocking all input and letting all output.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
# Drop input by default
chain input {
type filter hook input priority filter; policy drop;
# If invalid, drop it
ct state invalid drop
# If stablished accept it
ct state { established, related } accept
# Allow loopback
iif "lo" accept
iif != "lo" ip daddr 127.0.0.1/8 drop
iif != "lo" ip6 daddr ::1/128 drop
# Allow ping
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
# Private services ports
ip saddr 192.168.1.0/24 tcp dport 22 accept
ip saddr 192.168.1.0/24 tcp dport 445 accept
# Public services port
tcp dport 443 accept
}
# Drop forward by default
chain forward {
type filter hook forward priority filter; policy drop;
}
# Allow output by default
chain output {
type filter hook output priority filter; policy accept;
}
}
Thats all
That simple is how you can start working with nftables, you are interacting with the linux kernel so this is really powerfull. Remember to read the wiki to learn more about it.