How to Use nftables for Firewall Rules

0
237
How to Use nftables for Firewall Rules

Dit bericht verscheen eerder bij FOSSlife

Basic Operation

When it comes to writing the rules, the nft developers rely on the Berkeley Packet Filter (BPF) and use the classic tcpdump as a guide, so you don’t have to learn everything from scratch.

In addition, nft also provides a number of address families. The predefined familes are arp (ARP), bridge (previously provided by ebtables), inet (covers IPv4 and IPv6), ip (for IPv4), ;ip6 (for IPv6), and netdev (which is used to filter incoming packets before they reach Layer 3 according to the ISO/OSI specification).

The nft tool acts as a translator of the rules and keeps them in a small virtual machine (nftables core) for communication with the Linux kernel.

Where appropriate, I will compare the spelling and calls in iptables and nft based on practical examples. Listing 2 shows how to enable port 22 for incoming packets, just as you would for access via SSH, for both iptables and nft. You will notice that nft reduces this to a single command with simpler syntax.

Listing 2: Enabling Port 22 for Incoming Packets

### Allow incoming packets on port 22.
### With Iptables:
# iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
### With Nft:
$ nft add rule inet filter input tcp dport 22 ct state new,established accept

If you want to add ports 80 and 443 (i.e., HTTP and HTTPS), you need two more lines for iptables per port. With nft, on the other hand, it is sufficient to extend the existing line to combine all three protocols in one go. All three ports are enclosed in curly brackets, starting with port 22 followed by ports 80 and 443 separated by commas (Listing 3).

Listing 3: Adding Two Additional Ports

# nft add rule inet filter input tcp dport { 22, 80, 443 } ct state new,established accept

Please note that the spaces inside the brackets in Listing 3 must be exactly as shown — otherwise Bash will choke and protest. Users of Zsh run into the same problem, which can be solved by quoting appropriately.

Save and Restore

Similar to iptables, the nftables configuration can be saved to a file. Line 1 in Listing 4 writes the current ruleset to the firewall.config file, and line 2 reads the configuration back in.

Listing 4: Saving nftables Configuration

01 # nft list ruleset > firewall.config
02 # nft -f firewall.config

To make sure that there are no other (possibly interfering) rules left in the cache before initializing the firewall, you should add the line flush ruleset at the beginning of the configuration file firewall.config.

Creatures of habit, humans have a hard time with change. To help out with the transition from iptables to nft, the iptables-translate and ip6tables-translate commands convert the spelling of iptables firewall rules to those of nftables (Listing 5). This works for both individual instructions and complete rulesets.

Listing 5: Converting Rules

$ iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
$ ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept

Conclusions

Nftables helps to group several complex tools under a common umbrella, making it easier to secure the network. To thoroughly test the new firewall ruleset, you can, for example, use a bunch of Raspberry Pis on a small, dedicated network. Alternatively, you can create a virtual test network using VirtualBox or the smart Mininet application.

Acknowledgements

The author would like to thank Axel Beckert and Werner Heuser for feedback during the preparation of this article.

This article originally appeared in Linux Magazine and is reprinted here with permission.

Want to read more? Check out the latest edition of Linux Magazine.

Dit bericht verscheen eerder bij FOSSlife

Vorig artikelNebulon upgrades SPU to Medusa2 with Nvidia DPU hardware
Volgend artikelNHS England renews FutureNHS cloud-based collaboration hosting deal via G-Cloud for £1.67m