nftables the Linux firewall main commands

nftables is going to replace iptables/Netfilter so to be in tune with the times, here, some notes to see how it works on a Debian system.

Configuration

General informations

root@host:~# systemctl enable nftables.service
root@host:~# /etc/nftables.conf
root@host:~# nft -f /etc/nftables.conf
root@host:~# nft list ruleset
Note : inet means ipv4 and ipv6 addresses. We can specify ip or ipv6 words to be more specific.

Tables

root@host:~# nft add table inet <table name>
root@host:~# nft list tables
root@host:~# nft delete table inet <table name>
root@host:~# nft flush table inet <table name>

Chains

root@host:~# nft add chain inet <table name> <chain name>
root@host:~# nft list chains
root@host:~# nft delete chain <table name> <chain name>
root@host:~# nft add chain inet filter INPUT { type filter hook input priority 0\; }
root@host:~# nft add chain inet filter FORWARD { type filter hook forward priority 0\; policy drop\; }
root@host:~# nft add chain inet filter OUTPUT { type filter hook output priority 0\; policy drop\; }
root@host:~# nft add chain inet filter my_masquerade '{ type nat hook postrouting priority 100; }'
root@host:~# nft add chain inet filter my_prerouting '{ type nat hook prerouting priority -100; }'

Rules

Create

root@host:~# nft add rule inet <table name> <chain name> counter accept comment \"ALLOW INPUT\"
root@host:~# nft add rule inet filter INPUT tcp dport 22 counter
root@host:~# nft add rule inet filter INPUT tcp dport {80, 443} ct state new,established counter accept

Delete

Delete rule with handle number

root@host:~# nft -n -a list ruleset
root@host:~# nft delete rule ip filter INPUT handle 38

Replace

root@host:~# nft -n -a list ruleset
root@host:~# nft replace rule ip filter INPUT handle 38 iifname "eth0" ip saddr 192.168.1.12 counter drop

Insert

root@host:~# nft -n -a list ruleset
root@host:~# nft insert rule ip filter INPUT position 17 iifname "eth0" ip saddr { 192.168.1.11, 192.168.1.68, 192.168.1.118 } counter drop

NAT

Create Table

root@host:~# nft add table ip NAT

Create Chains

root@host:~# nft add chain ip NAT my_masquerade '{ type nat hook postrouting priority 100; }'
root@host:~# nft add chain ip NAT my_prerouting '{ type nat hook prerouting priority -100; }'

Masquerading Rule

root@host:~# nft add rule NAT my_masquerade ip daddr != { 192.168.0.0/16 } oifname <interface> masquerade

Prerouting Rule

root@host:~# nft add rule NAT my_prerouting iifname <interface> tcp dport { https } dnat to 192.168.1.10 comment \"Web Server\"
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :