nftables basic configuration

Introduction

Nftables is a firewall and packet filtering system that replaces iptables in Linux. It provides a clean and organized way to manage your network security and traffic filtering. Nftables was introduced in Linux Kernel 3.13 and has been included in all major Linux distributions since then. In this article, we’ll cover the basics of nftables configuration and how you can use it to enhance your network security.

Table of Contents

Installing Nftables

Before you can use nftables, you’ll need to install it on your system. If you’re using a recent version of a major Linux distribution, nftables is likely already installed. You can check if it’s installed by running the following command:

nft -v

If you don’t see any output, it means nftables is not installed. You can install it using the following command:

apt-get install nftables

or

yum install nftables

You may also need to install the nftables-compat package if you want to use existing iptables rules with nftables.

apt-get install iptables-compat-nftables

or

yum install iptables-compat-nftables

Once you have installed nftables, you’re ready to start configuring it.

Nftables Basics

Nftables operates using a set of tables, chains, and rules. A table is a container for chains, and a chain is a container for rules. Rules are used to filter incoming and outgoing network traffic.

In nftables, the default table is the filter table. The filter table has three built-in chains:

Input: The input chain is used to filter incoming traffic.
Output: The output chain is used to filter outgoing traffic.
Forward: The forward chain is used to filter traffic that is being forwarded between interfaces.

Each chain contains rules that are executed in order. If a packet matches a rule in a chain, it is either accepted, rejected, or passed to the next rule in the chain.

Configuring Nftables

To start configuring nftables, you’ll need to use the nft command. The nft command is used to add, delete, and modify tables, chains, and rules.

Adding a Rule

To add a rule, use the following syntax:

nft add rule <table> <chain> <expression>

For example, to add a rule that blocks incoming traffic from IP address 192.168.1.100, you would use the following command:

nft add rule filter input ip saddr 192.168.1.100 drop

This rule adds a new rule to the input chain in the filter table. The expression ip saddr 192.168.1.100 matches incoming packets with a source IP address of 192.168.1.100. The drop action drops the packet and does not send a response to the sender.

Deleting a Rule

To delete a rule, use the following syntax:

nft delete rule <table> <chain> <number>

For example, to delete the rule we just added, you would use the following command:

nft delete rule filter input 1

Listing Rules

To list all the rules in a chain, use the following syntax:

nft list ruleset <table> <chain>

For example, to list all the rules in the input chain of the filter table, you would use the following command:

nft list ruleset filter input

This will show you all the rules in the input chain, along with their numbers and expressions.

Chains and Tables

You can also create new chains and tables in nftables. To create a new chain, use the following syntax:

nft add chain <table> <chain> { type <type> hook <hook> priority <priority> ; }

For example, to create a new chain in the filter table called “mychain”, you would use the following command:

nft add chain filter mychain { type filter hook input priority 0 ; }

This creates a new chain called “mychain” in the filter table with a hook of “input” and a priority of 0. The “type” of the chain is set to “filter”.

You can also create a new table using the following syntax:

nft add table <table>

For example, to create a new table called “mytable”, you would use the following command:

nft add table mytable

After creating a new table, you can add chains and rules to it just like you would with the filter table.

Using Nftables in Firewall Configuration

Nftables is a powerful tool for managing your network security. In this section, we’ll go over some common firewall configurations and how you can use nftables to implement them.

Blocking Incoming Traffic

To block incoming traffic, you’ll need to add a rule to the input chain in the filter table. For example, to block incoming traffic from IP address 192.168.1.100, you would use the following command:

nft add rule filter input ip saddr 192.168.1.100 drop

This rule adds a new rule to the input chain in the filter table. The expression ip saddr 192.168.1.100 matches incoming packets with a source IP address of 192.168.1.100. The drop action drops the packet and does not send a response to the sender.

Allowing Incoming Traffic

To allow incoming traffic, you’ll need to add a rule to the input chain in the filter table. For example, to allow incoming traffic from IP address 192.168.1.100, you would use the following command:

nft add rule filter input ip saddr 192.168.1.100 accept

This rule adds a new rule to the input chain in the filter table. The expression ip saddr 192.168.1.100 matches incoming packets with a source IP address of 192.168.1.100. The accept action allows the packet to be processed by the next rule in the chain or by the final target of the chain.

Blocking Outgoing Traffic

To block outgoing traffic, you’ll need to add a rule to the output chain in the filter table. For example, to block outgoing traffic to IP address 192.168.1.100, you would use the following command:

nft add rule filter output ip daddr 192.168.1.100 drop

This rule adds a new rule to the output chain in the filter table. The expression ip daddr 192.168.1.100 matches outgoing packets with a destination IP address of 192.168.1.100. The drop action drops the packet and does not send it to the destination.

Allowing Outgoing Traffic

To allow outgoing traffic, you’ll need to add a rule to the output chain in the filter table. For example, to allow outgoing traffic to IP address 192.168.1.100, you would use the following command:

nft add rule filter output ip daddr 192.168.1.100 accept

This rule adds a new rule to the output chain in the filter table. The expression ip daddr 192.168.1.100 matches outgoing packets with a destination IP address of 192.168.1.100. The accept action allows the packet to be processed by the next rule in the chain or by the final target of the chain.

Blocking Traffic Based on Port

You can also block or allow traffic based on the port it is using. For example, to block incoming traffic on port 80 (HTTP), you would use the following command:

nft add rule filter input tcp dport 80 drop

This rule adds a new rule to the input chain in the filter table. The expression tcp dport 80 matches incoming packets with a destination port of 80. The drop action drops the packet and does not send a response to the sender.

Allowing Traffic Based on Port

To allow traffic based on the port it is using, you would use a similar command to the one used for blocking traffic based on port. For example, to allow incoming traffic on port 80 (HTTP), you would use the following command:

nft add rule filter input tcp dport 80 accept

This rule adds a new rule to the input chain in the filter table. The expression tcp dport 80 matches incoming packets with a destination port of 80. The accept action allows the packet to be processed by the next rule in the chain or by the final target of the chain.

Blocking Traffic Based on Protocol

You can also block or allow traffic based on the protocol it is using. For example, to block incoming ICMP traffic, you would use the following command:

nft add rule filter input icmp type drop

This rule adds a new rule to the input chain in the filter table. The expression icmp type matches incoming ICMP packets. The drop action drops the packet and does not send a response to the sender.

Allowing Traffic Based on Protocol

To allow traffic based on the protocol it is using, you would use a similar command to the one used for blocking traffic based on protocol. For example, to allow incoming ICMP traffic, you would use the following command:

nft add rule filter input icmp type accept

This rule adds a new rule to the input chain in the filter table. The expression icmp type matches incoming ICMP packets. The accept action allows the packet to be processed by the next rule in the chain or by the final target of the chain.

Conclusion

Nftables is a powerful and flexible firewall solution that offers many features and benefits over traditional firewall tools. With its user-friendly syntax and customizable rules, nftables is a great

choice for both novice and experienced users alike. Whether you need to block incoming traffic, allow outgoing traffic, or control traffic based on port or protocol, nftables has you covered.

If you’re looking for a way to improve your firewall security and efficiency, then nftables is definitely worth considering. With its ease of use, flexibility, and powerful features, nftables is a great option for anyone looking to improve their firewall solution.

So, whether you’re a system administrator or just someone looking to increase their security, give nftables a try and see for yourself why so many people are switching over to this powerful and flexible firewall solution.

Are you open to learn Linux?

Get weekly Linux news, tutoials, tips & tricks, and other useful information related to Linux and Open source in your INBOX.

The Center for Internet Security critical controls

The Center for Internet Security (CIS) is a non-profit organization that focuses on enhancing the...

Read More →

Linux Network

Commonly encountered industry-specific security standards

Introduction With the increasing use of technology and the internet, industries are becoming more...

Read More →

Linux Network

Why do I need to secure my Linux hosts?

Linux is an open-source operating system that powers millions of devices, from smartphones and...

Read More →

Linux Network

Removing our Firewall Configuration in Linux

A firewall is a critical aspect of security for a Linux system. It acts as a barrier between a...

Read More →

Linux Network