nftables Linux firewall

nftables is going to replace iptables/Netfilter so to be in tune with the times, here, some notes to see how it works on a Debian system.

Configuration

General informations

root@host:~# systemctl enable nftables.service
root@host:~# /etc/nftables.conf
root@host:~# nft -f /etc/nftables.conf

Tables

root@host:~# nft add table inet filter
root@host:~# nft list tables
root@host:~# nft delete table inet filter
root@host:~# nft flush table inet filter

Chains

root@host:~# nft add chain inet filter INPUT { type filter hook input priority 0\; }
root@host:~# nft add chain inet filter FORWARD { type filter hook forward priority 0\; policy drop\; }
root@host:~# nft add chain inet filter OUTPUT { type filter hook output priority 0\; policy drop\; }

Rules

Create

root@host:~# nft add rule inet filter INPUT counter accept
root@host:~# nft add rule inet filter INPUT tcp dport 22 counter
root@host:~# nft add rule inet filter INPUT tcp dport {80, 443} ct state new,established counter accept

Delete

root@host:~# nft -n -a list ruleset
root@host:~# nft delete rule ip filter INPUT handle 38

Replace

root@host:~# nft -n -a list ruleset
root@host:~# nft replace rule ip filter INPUT handle 38 iifname "eth0" ip saddr 192.168.1.12 counter drop

Insert

root@host:~# nft -n -a list ruleset
root@host:~# nft insert rule ip filter INPUT position 17 iifname "eth0" ip saddr { 192.168.1.11, 192.168.1.68, 192.168.1.118 } counter drop

/etc/nftables.conf

A configuration file example that I use for a smtp server.

# ----- IPv4 -----
table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy drop; #by default, we drop traffic

                iif lo accept comment "Accept any localhost traffic"
                ct state invalid counter drop comment "Drop invalid connections"
                ct state { established, related } counter accept comment "Accept traffic originated from us"
                iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"

                ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"
		
		iif eth0 ip saddr 10.0.0.10 tcp dport ssh counter accept comment "Accept ssh from 10.0.0.10"
                tcp dport { http, https, smtp, 465, 143, 993 } counter accept comment "Accept http, https, imap, imaps, smtp protocols"
                counter drop #count and drop
        }
        chain FORWARD {
                type filter hook forward priority 0; policy drop;
                counter comment "count dropped packets"
        }
        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }
}

# ----- IPv6 -----
table ip6 filter {
        chain INPUT {
                type filter hook input priority 0; policy drop; #by default, we drop traffic

                iif lo accept comment "Accept any localhost traffic"
                iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
                ct state invalid drop comment "Drop invalid connections"
                ct state established,related accept comment "Accept traffic originated from us"

                ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"
                #ip protocol igmp accept comment "Accept IGMP"

                tcp dport { smtp, 465, 143, 993 } counter accept comment "Accept imap, imaps, smtp"
                counter drop #count and drop
        }
        chain FORWARD {
                type filter hook forward priority 0; policy drop;
                counter comment "count dropped packets"
        }
        chain OUTPUT {
                type filter hook output priority 0;
        }
}
Licence Creative Commons
This website http://shebangthedolphins.net is licensed to the public under a licence Creative Commons Attribution licence.
Contact :