nftables the Linux firewall main commands

nftables is going to replace iptables tool to manage Netfilter. So to be in tune with the times, here, some notes to see how it works on a Debian system.

Configuration

  • OS : Debian 10
  • nftables : 0.9.0 (Fearless Fosdick)

General informations

  • Enable nftables at boot with systemctl :
root@host:~# systemctl enable nftables.service
  • nftables rules file :
root@host:~# /etc/nftables.conf
  • Load nftables file :
root@host:~# nft -f /etc/nftables.conf
  • List current rules :
root@host:~# nft list ruleset
Note : inet means ipv4 and ipv6 addresses. We can specify ip or ipv6 words to be more specific.

Tables

  • Create table :
root@host:~# nft add table inet <table name>
  • List tables :
root@host:~# nft list tables
  • Delete table :
root@host:~# nft delete table inet <table name>
  • Flush table :
root@host:~# nft flush table inet <table name>

Chains

  • Create chain :
root@host:~# nft add chain inet <table name> <chain name>
  • List chains :
root@host:~# nft list chains
  • Delete chain :
root@host:~# nft delete chain <table name> <chain name>
  • Create input chain for inbound traffic :
root@host:~# nft add chain inet filter INPUT { type filter hook input priority 0\; }
  • Create forward chain for forward traffic :
root@host:~# nft add chain inet filter FORWARD { type filter hook forward priority 0\; }
  • Create outbound chain for outbound traffic :
root@host:~# nft add chain inet filter OUTPUT { type filter hook output priority 0\; }
  • Create NAT chain for masquerading traffic :
root@host:~# nft add chain inet filter my_masquerade '{ type nat hook postrouting priority 100; }'
  • Create NAT chain for prerouting/ports redirection traffic :
root@host:~# nft add chain inet filter my_prerouting '{ type nat hook prerouting priority -100; }'

Rules

Create

  • Create rule which allow input traffic with counting and comment :
root@host:~# nft add rule inet <table name> <chain name> counter accept comment \"ALLOW INPUT\"
  • Create rule which allow ssh and count input traffic :
root@host:~# nft add rule inet filter INPUT tcp dport 22 counter
  • Create rule which allow web protocols for new or established states and count input traffic :
root@host:~# nft add rule inet filter INPUT tcp dport {80, 443} ct state new,established counter accept

Delete

Delete rule with handle number

  • List rules with handle number :
root@host:~# nft -n -a list ruleset
  • Delete rule :
root@host:~# nft delete rule ip filter INPUT handle 38

Replace

  • We can Replace rule with handle number
    • List rules with handle number :
root@host:~# nft -n -a list ruleset
    • Replace rule :
root@host:~# nft replace rule ip filter INPUT handle 38 iifname "eth0" ip saddr 192.168.1.12 counter drop

Insert

  • We can Insert rule with handle number
    • List rules with handle number :
root@host:~# nft -n -a list ruleset
    • Insert rule
    • :
root@host:~# nft insert rule ip filter INPUT position 17 iifname "eth0" ip saddr { 192.168.1.11, 192.168.1.68, 192.168.1.118 } counter drop

NAT

Create Table

root@host:~# nft add table ip NAT

Create Chains

  • Create masquerading chain :
root@host:~# nft add chain ip NAT my_masquerade '{ type nat hook postrouting priority 100; }'
  • Create prerouting chain for ports redirection :
root@host:~# nft add chain ip NAT my_prerouting '{ type nat hook prerouting priority -100; }'

Masquerading Rule

  • No masquerade between our 192.168.0.0/16 networks :
root@host:~# nft add rule NAT my_masquerade ip daddr != { 192.168.0.0/16 } oifname <interface> masquerade

Prerouting Rule

root@host:~# nft add rule NAT my_prerouting iifname <interface> tcp dport { https } dnat to 192.168.1.10 comment \"Web Server\"
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :