NFTables Basics
nftables is the successor to iptables, offering a more powerful, flexible, and efficient way to manage packet filtering and NAT (Network Address Translation) on Linux systems. It introduces a new framework that consolidates the functionality of iptables, ip6tables, arptables, and ebtables into a single, unified interface. This guide will introduce you to the basics of nftables, covering installation, key concepts, basic usage, and how it compares to its predecessor, iptables.
What is nftables?
nftables is a packet filtering framework that replaces the legacy iptables infrastructure in the Linux kernel. It's designed to provide a more consistent and unified approach to network filtering and NAT, with a simplified syntax and better performance. nftables is capable of handling both IPv4 and IPv6 traffic, as well as ARP and bridge filtering, all within a single framework.
Key Features of nftables
- Unified Interface: It consolidates the functionalities of iptables, ip6tables, arptables, and ebtables.
- Simplified Syntax: Offers a more readable and maintainable syntax compared to iptables.
- Better Performance: Reduces the overhead of rule processing by using a more efficient internal data structure.
- Atomic Rule Changes: Allows for atomic updates to rules, minimizing the risk of inconsistencies during rule changes.
- Rich Set of Expressions: Supports a wide range of expressions, making it highly flexible for advanced filtering and NAT configurations.
Installing nftables
nftables is included in the Linux kernel starting from version 3.13, and it is available in most modern Linux distributions. Installation is pretty straightforward and usually involves installing the nftables package and ensuring the appropriate services are enabled.
Installation on Various Systems
-
Debian/Ubuntu:
sudo apt-get install nftables -
Red Hat/CentOS:
sudo yum install nftables -
Fedora:
sudo dnf install nftables
After installing the package, you can enable the nftables service to ensure it starts automatically on boot:
sudo systemctl enable nftables
sudo systemctl start nftablesYou can verify the installation by checking the nftables version:
nft --versionBasic nftables Concepts
To effectively use nftables, it's important to understand its basic structure, including tables, chains, rules, and sets.
Tables
In nftables, tables are used to organize chains and rules. A table defines a namespace and the type of filtering it supports. The most common table types are:
- inet: Handles both IPv4 and IPv6 traffic.
- ip: Handles only IPv4 traffic.
- ip6: Handles only IPv6 traffic.
- arp: Handles ARP traffic.
- bridge: Handles bridge traffic.
Chains
Chains are lists of rules within a table. They define the points in the packet processing pipeline where rules are applied. Common chain types include:
- input: For packets destined for the local system.
- output: For packets originating from the local system.
- forward: For packets being routed through the system.
- prerouting: For packets before routing decisions are made (typically used in NAT).
- postrouting: For packets after routing decisions have been made (typically used in NAT).
Rules
Rules define the filtering criteria and actions to be taken on packets. A rule typically consists of a match condition and a corresponding action, such as accepting or dropping the packet.
Sets
Sets allow you to group multiple elements, like IP addresses, ports, or MAC addresses, into a single object that can be referenced in rules. This makes managing large and complex rule sets easier and more efficient.
Basic nftables Usage
Now that we've covered the basic concepts, let's explore how to use nftables to configure simple packet filtering and NAT.
Creating a Basic Table and Chain
To create a basic nftables configuration, you first need to create a table and then define chains within that table.
sudo nft add table inet my_filter_table
sudo nft add chain inet my_filter_table input { type filter hook input priority 0 \; }
sudo nft add chain inet my_filter_table output { type filter hook output priority 0 \; }In this example:
- inet my_filter_table: Creates a new table named
my_filter_tablethat handles both IPv4 and IPv6 traffic. - chain inet my_filter_table input: Creates an input chain within the table for filtering incoming traffic.
- chain inet my_filter_table output: Creates an output chain within the table for filtering outgoing traffic.
Adding Rules to Chains
Once you have created your table and chains, you can start adding rules to filter traffic.
Example: Accept Traffic on Port 22 (SSH)
sudo nft add rule inet my_filter_table input tcp dport 22 acceptThis rule allows incoming TCP traffic on port 22 (SSH).
Example: Drop Traffic from a Specific IP Address
sudo nft add rule inet my_filter_table input ip saddr 192.168.1.100 dropThis rule drops all incoming traffic from the IP address 192.168.1.100.
Example: Allow Established and Related Connections
sudo nft add rule inet my_filter_table input ct state established,related acceptThis rule allows packets that are part of established or related connections.
Listing Rules
You can list the rules in your nftables configuration with the following command:
sudo nft list table inet my_filter_tableThis command displays all chains and rules within the specified table.
Saving and Restoring Rules
To ensure that your nftables rules persist across reboots, you need to save them to a file and restore them on startup.
Saving Rules
You can save the current nftables configuration to a file:
sudo nft list ruleset > /etc/nftables.confRestoring Rules on Boot
To automatically restore nftables rules on boot, you can create a systemd service or modify the nftables service to load the saved configuration:
sudo systemctl enable nftables
sudo systemctl start nftablesMake sure the configuration file is specified in the nftables service configuration.
Advanced nftables Usage
nftables offers advanced features that allow for more complex and dynamic firewall configurations. Below are some advanced techniques.
Using Sets for Efficient Rule Management
Sets in nftables allow you to group multiple items, such as IP addresses or ports, into a single object that can be referenced in a rule. This is particularly useful for large lists of IP addresses or ports.
Example: Creating and Using an IP Set
sudo nft add set inet my_filter_table blacklist { type ipv4_addr \; }
sudo nft add element inet my_filter_table blacklist { 192.168.1.100, 192.168.1.101 }
sudo nft add rule inet my_filter_table input ip saddr @blacklist dropIn this example:
- blacklist: A set containing IP addresses to be blocked.
- @blacklist: References the set in a rule to drop traffic from any IP address in the blacklist.
Implementing NAT with nftables
nftables can handle both source NAT (SNAT) and destination NAT (DNAT) for network address translation.
Example: Source NAT (Masquerading)
sudo nft add table ip nat
sudo nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
sudo nft add rule ip nat postrouting oifname "eth0" masqueradeThis configuration masquerades outgoing traffic on the eth0 interface, typically used when routing traffic from a private network to the internet.
Example: Destination NAT (Port Forwarding)
sudo nft add table ip nat
sudo nft add chain ip nat prerouting { type nat hook prerouting priority 0 \; }
sudo nft add rule ip nat prerouting tcp dport 8080 dnat to 192.168.1.100:80This rule forwards incoming traffic on port 8080 to port 80 on the internal IP address 192.168.1.100.
Logging and Auditing with nftables
Logging traffic is crucial for monitoring and auditing purposes. nftables supports flexible logging options that can be used to track specific types of traffic.
Example: Logging Dropped Packets
sudo nft add rule inet my_filter_table input tcp dport 22 log prefix "SSH Drop: " level warning
sudo nft add rule inet my_filter_table input tcp dport 22 dropThis configuration logs dropped SSH connection attempts with a custom prefix.
Rate Limiting with nftables
Rate limiting is useful for mitigating certain types of attacks, such as brute force attacks or DoS attacks.
Example: Limiting ICMP (Ping) Requests
sudo nft add rule inet my_filter_table input icmp type echo-request limit rate 10/second accept
sudo nft add rule inet my_filter_table input icmp type echo-request dropThis configuration allows
up to 10 ICMP echo requests (pings) per second, dropping any excess requests.
Migrating from iptables to nftables
If you are transitioning from iptables to nftables, understanding the differences and how to translate iptables rules into nftables is crucial.
Translating iptables Rules to nftables
Many iptables rules can be translated directly into nftables syntax. Here are a few examples:
iptables Rule to Drop Traffic from an IP Address
iptables -A INPUT -s 192.168.1.100 -j DROPTranslated to nftables:
nft add rule inet my_filter_table input ip saddr 192.168.1.100 dropiptables Rule for NAT (Masquerading)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADETranslated to nftables:
nft add rule ip nat postrouting oifname "eth0" masqueradeiptables-translate Tool
The iptables-translate tool can help automate the translation of iptables rules into nftables syntax. It is included in the iptables package.
iptables-translate -A INPUT -s 192.168.1.100 -j DROPThis command will output the equivalent nftables rule.
Best Practices for Using nftables
When working with nftables, following best practices can help ensure that your firewall configurations are effective, maintainable, and secure.
Organize Rules with Tables and Chains: Use tables and chains to organize your rules logically. This not only improves readability but also simplifies management, especially in complex environments.
Use Sets for Large Lists: For large lists of IP addresses, ports, or other elements, use sets to manage them efficiently. This reduces the number of rules and makes your configuration more scalable.
Test Rules Before Deployment: Always test new rules in a non-production environment before deploying them live. This helps to avoid accidental disruptions to network traffic.
Log and Monitor Traffic: Regularly log and monitor traffic to detect anomalies, troubleshoot issues, and ensure that your firewall is functioning as expected. Use logging sparingly to avoid overwhelming your system with log data.
Regularly Review and Update Rules: Network environments and security threats evolve over time. Regularly review and update your nftables rules to ensure they continue to meet your security requirements.