nftables the Linux firewall main commands

nftables is going to replace iptables tool to manage Netfilter. So to be in tune with the times, here, some notes to see how it works on a Debian system.

Configuration

OS : Debian 10
nftables : 0.9.0 (Fearless Fosdick)

General informations

Enable nftables at boot with systemctl :

root@host:~# systemctl enable nftables.service

nftables rules file :

root@host:~# /etc/nftables.conf

Load nftables file :

root@host:~# nft -f /etc/nftables.conf

List current rules :

root@host:~# nft list ruleset

Note : inet means ipv4 and ipv6 addresses. We can specify ip or ipv6 words to be more specific.

Tables

Create table :

root@host:~# nft add table inet <table name>

List tables :

root@host:~# nft list tables

Delete table :

root@host:~# nft delete table inet <table name>

Flush table :

root@host:~# nft flush table inet <table name>

Chains

Create chain :

root@host:~# nft add chain inet <table name> <chain name>

List chains :

root@host:~# nft list chains

Delete chain :

root@host:~# nft delete chain <table name> <chain name>

Create input chain for inbound traffic :

root@host:~# nft add chain inet filter INPUT { type filter hook input priority 0\; }

Create forward chain for forward traffic :

root@host:~# nft add chain inet filter FORWARD { type filter hook forward priority 0\; }

Create outbound chain for outbound traffic :

root@host:~# nft add chain inet filter OUTPUT { type filter hook output priority 0\; }

Create NAT chain for masquerading traffic :

root@host:~# nft add chain inet filter my_masquerade '{ type nat hook postrouting priority 100; }'

Create NAT chain for prerouting/ports redirection traffic :

root@host:~# nft add chain inet filter my_prerouting '{ type nat hook prerouting priority -100; }'

Rules

Create

Create rule which allow input traffic with counting and comment :

root@host:~# nft add rule inet <table name> <chain name> counter accept comment \"ALLOW INPUT\"

Create rule which allow ssh and count input traffic :

root@host:~# nft add rule inet filter INPUT tcp dport 22 counter

Create rule which allow web protocols for new or established states and count input traffic :

root@host:~# nft add rule inet filter INPUT tcp dport {80, 443} ct state new,established counter accept

Delete

Delete rule with handle number

List rules with handle number :

root@host:~# nft -n -a list ruleset

Delete rule :

root@host:~# nft delete rule ip filter INPUT handle 38

Replace

We can Replace rule with handle number
- List rules with handle number :

root@host:~# nft -n -a list ruleset

Replace rule :

root@host:~# nft replace rule ip filter INPUT handle 38 iifname "eth0" ip saddr 192.168.1.12 counter drop

Insert

We can Insert rule with handle number

List rules with handle number :

root@host:~# nft -n -a list ruleset

Insert rule :

root@host:~# nft insert rule ip filter INPUT position 17 iifname "eth0" ip saddr { 192.168.1.11, 192.168.1.68, 192.168.1.118 } counter drop

NAT

Create Table

root@host:~# nft add table ip NAT

Create Chains

Create masquerading chain :

root@host:~# nft add chain ip NAT my_masquerade '{ type nat hook postrouting priority 100; }'

Create prerouting chain for ports redirection :

root@host:~# nft add chain ip NAT my_prerouting '{ type nat hook prerouting priority -100; }'

Masquerading Rule

No masquerade between our 192.168.0.0/16 networks :

root@host:~# nft add rule NAT my_masquerade ip daddr \!= { 192.168.0.0/16 } oifname <interface> masquerade

Prerouting Rule

root@host:~# nft add rule NAT my_prerouting iifname <interface> tcp dport { https } dnat to 192.168.1.10 comment \"Web Server\"

Computing

Music

Misc