Dit bericht verscheen eerder bij FOSSlife
Basic Operation
When it comes to writing the rules, the nft
developers rely on the Berkeley Packet Filter (BPF) and use the classic tcpdump
as a guide, so you don’t have to learn everything from scratch.
In addition, nft
also provides a number of address families. The predefined familes are arp
(ARP), bridge
(previously provided by ebtables), inet
(covers IPv4 and IPv6), ip
(for IPv4), ;ip6
(for IPv6), and netdev
(which is used to filter incoming packets before they reach Layer 3 according to the ISO/OSI specification).
The nft
tool acts as a translator of the rules and keeps them in a small virtual machine (nftables core) for communication with the Linux kernel.
Where appropriate, I will compare the spelling and calls in iptables and nft
based on practical examples. Listing 2 shows how to enable port 22 for incoming packets, just as you would for access via SSH, for both iptables and nft
. You will notice that nft
reduces this to a single command with simpler syntax.
Listing 2: Enabling Port 22 for Incoming Packets
### Allow incoming packets on port 22. ### With Iptables: # iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT ### With Nft: $ nft add rule inet filter input tcp dport 22 ct state new,established accept
If you want to add ports 80 and 443 (i.e., HTTP and HTTPS), you need two more lines for iptables per port. With nft
, on the other hand, it is sufficient to extend the existing line to combine all three protocols in one go. All three ports are enclosed in curly brackets, starting with port 22 followed by ports 80 and 443 separated by commas (Listing 3).
Listing 3: Adding Two Additional Ports
# nft add rule inet filter input tcp dport { 22, 80, 443 } ct state new,established accept
Please note that the spaces inside the brackets in Listing 3 must be exactly as shown — otherwise Bash will choke and protest. Users of Zsh run into the same problem, which can be solved by quoting appropriately.
Save and Restore
Similar to iptables, the nftables configuration can be saved to a file. Line 1 in Listing 4 writes the current ruleset to the firewall.config
file, and line 2 reads the configuration back in.
Listing 4: Saving nftables Configuration
01 # nft list ruleset > firewall.config 02 # nft -f firewall.config
To make sure that there are no other (possibly interfering) rules left in the cache before initializing the firewall, you should add the line flush ruleset
at the beginning of the configuration file firewall.config
.
Creatures of habit, humans have a hard time with change. To help out with the transition from iptables to nft
, the iptables-translate
and ip6tables-translate
commands convert the spelling of iptables firewall rules to those of nftables (Listing 5). This works for both individual instructions and complete rulesets.
Listing 5: Converting Rules
$ iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT nft add rule ip filter INPUT tcp dport 22 ct state new counter accept $ ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept
Conclusions
Nftables helps to group several complex tools under a common umbrella, making it easier to secure the network. To thoroughly test the new firewall ruleset, you can, for example, use a bunch of Raspberry Pis on a small, dedicated network. Alternatively, you can create a virtual test network using VirtualBox or the smart Mininet application.
Acknowledgements
The author would like to thank Axel Beckert and Werner Heuser for feedback during the preparation of this article.
This article originally appeared in Linux Magazine and is reprinted here with permission.
Want to read more? Check out the latest edition of Linux Magazine.
Dit bericht verscheen eerder bij FOSSlife