nftables the Linux firewall main commands

nftables is going to replace iptables/Netfilter so to be in tune with the times, here, some notes to see how it works on a Debian system.

Configuration

  • OS : Debian 10
  • nftables : 0.9.0 (Fearless Fosdick)

General informations

  • Enable nftables service with systemctl
root@host:~# systemctl enable nftables.service
  • nftables rules file
root@host:~# /etc/nftables.conf
  • Load nftables file
root@host:~# nft -f /etc/nftables.conf
  • List rules
root@host:~# nft list ruleset
Note : inet means ipv4 and ipv6 addresses. We can specify ip or ipv6 words to be more specific.

Tables

  • Create table
root@host:~# nft add table inet <table name>
  • List tables
root@host:~# nft list tables
  • Delete table
root@host:~# nft delete table inet <table name>
  • Flush table
root@host:~# nft flush table inet <table name>

Chains

  • Create chain
root@host:~# nft add chain inet <table name> <chain name>
  • List chains
root@host:~# nft list chains
  • Delete chain
root@host:~# nft delete chain <table name> <chain name>
  • Create input chain for inbound traffic
root@host:~# nft add chain inet filter INPUT { type filter hook input priority 0\; }
  • Create forward chain for forward traffic
root@host:~# nft add chain inet filter FORWARD { type filter hook forward priority 0\; policy drop\; }
  • Create outbound chain for outbound traffic
root@host:~# nft add chain inet filter OUTPUT { type filter hook output priority 0\; policy drop\; }
  • Create NAT chain for masquerading traffic
root@host:~# nft add chain inet filter my_masquerade '{ type nat hook postrouting priority 100; }'
  • Create NAT chain for prerouting/ports redirection traffic
root@host:~# nft add chain inet filter my_prerouting '{ type nat hook prerouting priority -100; }'

Rules

Create

  • Create rule which allow input traffic with counting and comment
root@host:~# nft add rule inet <table name> <chain name> counter accept comment \"ALLOW INPUT\"
  • Create rule which allow ssh and count input traffic
root@host:~# nft add rule inet filter INPUT tcp dport 22 counter
  • Create rule which allow web protocols for new or established states and count input traffic
root@host:~# nft add rule inet filter INPUT tcp dport {80, 443} ct state new,established counter accept

Delete

Delete rule with handle number

  • List rules with handle number
root@host:~# nft -n -a list ruleset
  • Delete rule
root@host:~# nft delete rule ip filter INPUT handle 38

Replace

  • We can Replace rule with handle number
    • List rules with handle number
root@host:~# nft -n -a list ruleset
    • Replace rule
root@host:~# nft replace rule ip filter INPUT handle 38 iifname "eth0" ip saddr 192.168.1.12 counter drop

Insert

  • We can Insert rule with handle number
    • List rules with handle number
root@host:~# nft -n -a list ruleset
    • Insert rule
root@host:~# nft insert rule ip filter INPUT position 17 iifname "eth0" ip saddr { 192.168.1.11, 192.168.1.68, 192.168.1.118 } counter drop

NAT

Create Table

root@host:~# nft add table ip NAT

Create Chains

    • Create masquerading chain
root@host:~# nft add chain ip NAT my_masquerade '{ type nat hook postrouting priority 100; }'
    • Create prerouting chain for ports redirection
root@host:~# nft add chain ip NAT my_prerouting '{ type nat hook prerouting priority -100; }'

Masquerading Rule

    • No masquerade between our 192.168.0.0/16 networks
root@host:~# nft add rule NAT my_masquerade ip daddr != { 192.168.0.0/16 } oifname <interface> masquerade

Prerouting Rule

root@host:~# nft add rule NAT my_prerouting iifname <interface> tcp dport { https } dnat to 192.168.1.10 comment \"Web Server\"
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :