Go back to topic: [Tutoriall 4.2] DomU in 4.2 firewalls have completely switched to nftables - a modern firewall for advanced users
| <br><br>Hi, I'd like to point out right away that this tutorial is not mine - I received it in the mail and thought it would also be useful for members of the Qubes community. <h5> Summary: nfttables w Qubes 4.2: </h5> <h6> * [[4.2 changelog]:](https://www.qubes-os.org/doc/releases/4.2/release-notes/) **DomU firewalls have completely switched to nftables.** ([#5031](https://github.com/QubesOS/qubes-issues/issues/5031), [#6062](https://github.com/QubesOS/qubes-issues/issues/6062)) * > @Sven : [Firewall works differently in R4.2. You are using a pre-release version. Instructions that worked with R4.1 will no longer work with R4.2.](https://forum.qubes-os.org/t/4-2-leakage-of-network-traffic-from-vm-any-joke/21125/20) * [Qubes OS 4.2 nftables / nft firewall guide](https://forum.qubes-os.org/t/qubes-os-4-2-nftables-nft-firewall-guide/20933) </h6> | |
| > **The article comes from [this site.](https://pushsec.pl/nftables-czyli-nowoczesny-firewall-dla-zaawansowanych-uzytkownikow/)** | |
| Nftables is quite a complex tool and it is no mean feat to describe its functionalities in a short article. That's why I encourage you to test different nftables configurations in a controlled environment in order to get most familiar with the tool. The fact that it is quite easy to translate rules from iptables may help many people to "switch" to nftables.
| Nftables is quite a complex tool and it is no mean feat to describe its functionalities in a short article. That's why I encourage you to test different nftables configurations in a controlled environment in order to get most familiar with the tool. The fact that it is quite easy to translate rules from iptables may help many people to "switch" to nftables. |
| Pro tip: When experimenting with firewall rules, here is a practical method: * run `nft list ruleset | tee original_ruleset | tee new_ruleset` * add `flush ruleset` at the top of both file, that will clear all the rules before loading the new rules * make changes to `new_ruleset` for your experimentations * load the new ruleset with `nft --file new_ruleset` * rollback with `nft --file original_ruleset` when you want to revert all changes (if you do that on a remote server using ssh, make sure to not lock you out, you may want to run `sleep 3600 && nft flush ruleset` to disable all rules after 1h if you don’t stop the timer, or load the original ruleset :wink: instead of flushing everything temporarily) | From @solene: > Pro tip: When experimenting with firewall rules, here is a practical method: > > * run `nft list ruleset | tee original_ruleset | tee new_ruleset` > * add `flush ruleset` at the top of both file, that will clear all the rules before loading the new rules > * make changes to `new_ruleset` for your experimentations > * load the new ruleset with `nft --file new_ruleset` > * rollback with `nft --file original_ruleset` when you want to revert all changes > > (if you do that on a remote server using ssh, make sure to not lock you out, you may want to run `sleep 3600 && nft flush ruleset` to disable all rules after 1h if you don’t stop the timer, or load the original ruleset :wink: instead of flushing everything temporarily) |
| <h1>5. [4.2] | <h1>5. [4.2] configuring nftables in Qubes </h1> [Qubes OS 4.2 nftables / nft firewall guide](https://forum.qubes-os.org/t/qubes-os-4-2-nftables-nft-firewall-guide/20933) by @solene |
| <h5> nfttables w Qubes 4.2: </h5> * [[4.2 changelog]:](https://www.qubes-os.org/doc/releases/4.2/release-notes/) **DomU firewalls have completely switched to nftables.** ([#5031](https://github.com/QubesOS/qubes-issues/issues/5031), [#6062](https://github.com/QubesOS/qubes-issues/issues/6062)) * [Qubes OS 4.2 nftables / nft firewall guide](https://forum.qubes-os.org/t/qubes-os-4-2-nftables-nft-firewall-guide/20933) | |
| * ArchLinux | * [ArchLinux Wiki](https://wiki.archlinux.org/title/nftables) has a fairly simple and easy-to-read guide related to the nftables command, which is available [here](https://wiki.archlinux.org/title/nftables) |
| Pro tip: When experimenting with firewall rules, here is a practical method: * run `nft list ruleset | tee original_ruleset | tee new_ruleset` * add `flush ruleset` at the top of both file, that will clear all the rules before loading the new rules * make changes to `new_ruleset` for your experimentations * load the new ruleset with `nft --file new_ruleset` * rollback with `nft --file original_ruleset` when you want to revert all changes (if you do that on a remote server using ssh, make sure to not lock you out, you may want to run `sleep 3600 && nft flush ruleset` to disable all rules after 1h if you don’t stop the timer, or load the original ruleset :wink: instead of flushing everything temporarily) | |
| <h1>5. | <h1>5. [4.2] instructions for configuring nftables in Qubes </h1> [link](https://forum.qubes-os.org/t/qubes-os-4-2-nftables-nft-firewall-guide/20933) |
| Nftables is quite a complex tool and it is no mean feat to describe its functionalities in a short article. That's why I encourage you to test different nftables configurations in a controlled environment in order to get most familiar with the tool. The fact that it is quite easy to translate rules from iptables may help many people to "switch" to nftables. | Nftables is quite a complex tool and it is no mean feat to describe its functionalities in a short article. That's why I encourage you to test different nftables configurations in a controlled environment in order to get most familiar with the tool. The fact that it is quite easy to translate rules from iptables may help many people to "switch" to nftables. <h5> Additional valuable learning resource nftables </h5> * [Gentoo Linux Wiki](https://wiki.gentoo.org/wiki/Main_Page) contains some practical examples of nftables configuration. * ArchLinux Wiki has a fairly simple and easy-to-read guide related to the nftables command, which is available [here](https://wiki.archlinux.org/title/nftables) |
| The article comes from [this site.](https://pushsec.pl/nftables-czyli-nowoczesny-firewall-dla-zaawansowanych-uzytkownikow/) ------------- | > **The article comes from [this site.](https://pushsec.pl/nftables-czyli-nowoczesny-firewall-dla-zaawansowanych-uzytkownikow/)** ------------- |
| <h4>The command in iptables will look as follows:</h4> | <h4>The command in iptables will look as follows:</h4> |
| <br><h4>To add them to nftables, use the command:</h4> | <br><h4>To add them to nftables, use the command:</h4> |
| [Gentoo Linux Wiki](https://wiki.gentoo.org/wiki/Main_Page) contains some practical examples of nftables configuration. [Here](https://forum.qubes-os.org/t/qubes-os-4-2-nftables-nft-firewall-guide/20933) See the instructions for configuring nftables in Qubes 4.2 | |
| ArchLinux Wiki has a fairly simple and easy-to-read guide related to the nftables command, which is available [here](https://wiki.archlinux.org/title/nftables)
| ArchLinux Wiki has a fairly simple and easy-to-read guide related to the nftables command, which is available [here](https://wiki.archlinux.org/title/nftables) **nft list ruleset** - Displays the current set of rules **nft flush ruleset** - Removing rules, may leave device without working firewall **nft list tables** - Displays the currently defined tables in the system **nft add table [family name] [table name]** - Creates a table for a given family (options - ip, arp, etc.) with a given name |
| <h1>1. Introduction </h1> | |
| <h1>2. Installing</h1> | |
| `sudo apt install nftables`  | **`sudo apt install nftables`**  |
| <h1>3. Why choose nftables?</h1> | |
| The possible families (protocol-related options) are as follows:
* | <h4>The possible families (protocol-related options) are as follows:</h4> * **ip** - intended for IP version 4, * **ipv6** - intended for IP version 6, * **inet** - intended for IP versions 4 and 6, * **arp** - intended for ARP, * **bridge** - intended for connections using a bridge. <h4>Nftables also has three types of chain. They are:</h4> * **filter** - a chain intended for packet filtering, * **nat** - a chain intended for NAT, or address translation, * **route** - a chain intended for routing packets. <br><h4>We can also specify the range of packets to which the rules apply as follows:</h4> * **prerouting** - packets that have reached the device and have not been processed by nftables, * **input** - packets that have reached the device and have been processed by nftables, * **forward** - packets to be forwarded to another device, * **output** - outgoing packets, * **postrouting** - outgoing packets that have been processed by nftables. <h1>4. Relatedness and differences with iptables - syntax</h1> |
| The command in iptables will look as follows: | <h4>The command in iptables will look as follows:</h4> |
| To add them to nftables, use the command: | <br><h4>To add them to nftables, use the command:</h4> |
| <h1>5. Examples of nftables configuration in practice</h1> | |
| [Here](https://wiki.gentoo.org/wiki/Nftables/Examples) is an example of a basic firewall configuration for a workstation. The configuration consists of a few simple assumptions:
| [Here](https://wiki.gentoo.org/wiki/Nftables/Examples) is an example of a basic firewall configuration for a workstation. <h4> The configuration consists of a few simple assumptions:</h4> 1. Packets sent by the firewall host machine are allowed. 2. Incoming packets from the LAN are allowed. 3. Incoming packets from the WAN are discarded unless the LAN device initiated the connection. 4. Outgoing packets from the LAN are allowed. <h4>The configuration is as follows: </h4> |
| ** | **sysctl -w net.ipv4.ip_forward = 1** <br>To load the configuration from a file, use the command: |
| <h1>6. Useful commands - quick sheet</h1> ArchLinux Wiki has a fairly simple and easy-to-read guide related to the nftables command, which is available [here](https://wiki.archlinux.org/title/nftables) <h3>Highlights include: </h3> * **`nft list ruleset`** - Displays the current set of rules * **`nft flush ruleset`** - Removing rules, may leave device without working firewall * **`nft list tables`** - Displays the currently defined tables in the system * **`nft add table [family name] [table name]`** - Creates a table for a given family (options - ip, arp, etc.) with a given name <h1>7. Summary</h1> |