Table of Contents
If you want to send us your comments, please do so. Thanks
More on comments
nftables
To manage nftables run nft
nft is an administration tool of the nftables framework for packet filtering and classification
Debian as a router using nftables
Resources
See man nft
Quick_reference
Debian on nftables
Tutorial
nftables wiki
Flowtable
Netfilter hooks
Debian as a router
Dictionary
| Name | Explanation |
|---|---|
| ct | selector for state tracking information. Also named conntrack or ct information. Netfilter collects it through the Connection Tracking System to deploy stateful firewalls |
Preparations
With aptitude uninstall iptables and install nftables
aptitude remove iptables ufw aptitude install nftables
Check if the nftabels kernel module is installed
modinfo nf_tables lsmod | grep nf_tables
Restart nftables
systemctl restart nftables.service
Show the status
systemctl status nftables.service
Syntax
{ 3142 } or { 80, 443, 8080 } means a set, containing one or more members, of any type of element like ports, IP numbers, protocols and so on
Commands
When working with chains the family is optional and defaults to “ip”
| Command | Explanation |
|---|---|
| nft list ruleset | Show the current rules |
| nft list tables | |
| nft list table ip filter | List the chains and rules in the table “filter” of family “ip” (alternative ip6) |
| nft list table inet filter | |
| nft delete table ip6 filter | Delete the table “filter” of family “ip6” |
| nft flush ruleset | Warning: Clear the whole ruleset. This will remove all tables and whatever they contain, leading to an empty ruleset. No packet filtering will happen anymore. Run, as root, systemctl restart nftables.service to reload the ruleset. Gives an error on kernel 3.x / and / or i586 Geode processors on Debian Bullseye. nft flush table inet filter in /etc/nftables.conf works as expected |
| nft flush ip6 filter | Delete all rules in table “filter” of family “ip6” |
| nft flush chain chainname input | Delete all rules in chain “chainname” in table “input” |
| nft list chain ip filter FORWARD | List the rules in the chain “FORWARD” in the table “filter” of family “ip” |
| nft flush chain ip filter ufw-before-logging-input | Delete all the rules in chain “ufw-before-logging-input” in the table “filter” of family “ip” |
| nft delete chain ip filter ufw-before-logging-input | chains need to be empty before they can be removed |
| systemctl enable --now nftables.service | Autostart nftables at system boot. Should result in "Created symlink /etc/systemd/system/sysinit.target.wants/nftables.service → /lib/systemd/system/nftables.service. root@hostname:/home/user#" |
| tcp dport 7777 reject with tcp reset |
Tables
table inet filter: defining a table for filtering network traffic for IPv4 and IPv6
table ip filter: defining a table for filtering network traffic for IPv4 only
Variables
| Variable | Explanation |
|---|---|
| hook | A hook is a point in the networking stack where packet filtering rules are applied. Hooks serve as entry and exit points for network packets as they traverse the networking stack, allowing administrators to define rules that filter, modify, or process the packets based on specific criteria |
| priority | |
| type | refers to the classification, type, of a chain based on its intended purpose or behavior. When defining a chain in nftables, specifying its type helps to indicate how the chain should be treated and what kind of traffic it is designed to handle. types can be: filter: A “filter” chain is used for packet filtering. It is commonly employed to enforce firewall rules, control network traffic, and apply access control policies based on specific criteria such as source/destination addresses, ports, protocols, and packet states route: A “route” chain is used for routing decisions. It can be utilized to influence the routing behavior of packets, such as making routing decisions based on packet attributes or applying policy-based routing NAT: A “NAT” chain is used for network address translation (NAT) operations. It is employed to modify the source or destination addresses of packets, enabling the implementation of port forwarding, masquerading, or other NAT-related tasks mangle: A “mangle” chain is used for packet mangling. It allows for the modification of packet headers, including altering packet marks, TOS (Type of Service) values, and other packet attributes |
| chain | A chain has types, hooks and priorities A “chain” is a fundamental component used to organize and apply a set of rules for packet processing. Chains serve as containers for rules and are associated with specific points in the networking stack where packet filtering, modification, or processing occurs. By defining chains and attaching them to specific hooks, administrators can control how packets are handled as they traverse the networking stack. Each chain is linked to a particular hook, which represents a stage in the journey of a packet through the networking stack |
| type filter | |
| policy drop | When a chain is set to have a policy of “drop,” it means that if no rules in the chain match the incoming traffic, the default action is to drop the traffic. In other words, if the traffic does not explicitly match any rules in the chain, it will be discarded |
Scripts
Example scripts can be found in /usr/share/doc/nftables/examples/
Default script
#!/usr/sbin/nft -f flush ruleset define tcp_services = { ssh, 22 } # Other example #define tcp_services = { ssh, 22, http, 80, https, 443 } table inet filter { chain input { type filter hook input priority 0; # accept any localhost traffic iif lo accept # accept traffic originated from us ct state established,related accept # activate the following line to accept common local services tcp dport { ssh, 80, 443 } ct state new accept # accept neighbour discovery otherwise IPv6 connectivity breaks. ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept # count and drop any other traffic counter drop } chain forward { type filter hook forward priority 0; } chain output { type filter hook output priority 0; } }
Remarks
The statement define tcp_services may only occur once
Errors
# nft delete chain ip filter ufw-before-input Error: Could not process rule: Device or resource busy delete chain ip filter ufw-before-input ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The chain is not empty. Make it empty and then delete it again
Useful links
Quick reference-nftables
NFTABLES [PART - 1]: “Concept and Syntax” (Youtube)
nftables
nftables beginners guide to traffic filtering
Simple rule management
simple nftables config
iptables tutorial 1.2.2 chapter 7. The state machine. With the explanation of user-land states like NEW, ESTABLISHED and RELATED
Examples
nftables
firewalld is a dynamically managed firewall
Main subjects on this wiki: Linux, Debian, HTML, Microcontrollers, Privacy
RSS
Disclaimer
Privacy statement
Bugs statement
Cookies
Copyright © : 2014 - 2024 Webevaluation.nl and the authors
Changes reserved.