Hey, I'd like to point out right away that this tutorial is not mine - I received it in the mail and thought it would also be useful for members of the Qubes community. The article comes from this site.
1. Introduction
Nftables appeared in version 3.13 of the Linux kernel, which was released in January 2014. Like UFW and firewalld, nftables is used to configure a firewall. It is the most difficult to configure firewall of all the previously mentioned, so using it is recommended for those with Linux experience (and angelic patience).
2. Installing
Nftables should be installed by default in most Linux distributions. However, if it is not installed, you can use the command:
sudo apt install nftables
Nftables are managed via the nft command. To view the instruction associated with this command, type man nft in the console. It is worth noting that the provided instruction is quite extensive - it has almost 4000 lines.
3. Why choose nftables?
Nftables is based primarily on configuration files (*.conf), which can be created through commands using nft. You can define many rules described in tables, which are based on protocols.
The possible families (protocol-related options) are as follows:
List item
ip - intended for IP version 4,
Nftables also has three types of chain. They are:
We can also specify the range of packets to which the rules apply as follows:
4. Relatedness and differences with iptables - syntax
Nftables has a different syntax from iptables, but the commands can be translated from iptables to nftables quite simply. If we want to use a command from iptables in nftables, we can use the iptables-nft command. For example - we want to block traffic on port 80 for packets that come from the address 192.168.25.150.
The command in iptables will look as follows:
sudo iptables -A INPUT -p tcp --source 192.168.25.150 --dport 80 -j DROP
To add them to nftables, use the command:
sudo iptables-nft -A INPUT -p tcp --source 192.168.25.150 --dport 80 -j DROP
5. Examples of nftables configuration in practice
Gentoo Linux Wiki contains some practical examples of nftables configuration. They are available here and I recommend you take a look at them J.
Here is an example of a basic firewall configuration for a workstation. The configuration consists of a few simple assumptions:
The configuration is as follows:
#!/sbin/nft -f
flush ruleset
table ip filter {
# allow all packets sent by the firewall machine itself
chain output {
type filter hook output priority 100; policy accept;
}
# allow LAN to firewall, disallow WAN to firewall
chain input {
type filter hook input priority 0; policy accept;
iifname "lan0" accept
iifname "wan0" drop
}
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
type filter hook forward priority 0; policy drop;
iifname "lan0" oifname "wan0" accept
iifname "wan0" oifname "lan0" ct state related,established accept
}
}
sysctl -w net.ipv4.ip_forward = 1
To load the configuration from a file, use the command:
sudo nft --file [file name]
6. Useful commands - quick sheet ArchLinux Wiki has a fairly simple and easy-to-read guide related to the nftables command, which is available here.
Highlights include:
**nft list ruleset**
- Displays the current set of rules
**nft flush ruleset**
- Removing rules, may leave device without working firewall
**nft list tables**
- Displays the currently defined tables in the system
**nft add table [family name] [table name].**
- Creates a table for a given family (options - ip, arp, etc.) with a given name
7. Summary
Nftables is quite a complex tool and it is no mean feat to describe its functionalities in a short article. That's why I encourage you to test different nftables configurations in a controlled environment in order to get most familiar with the tool. The fact that it is quite easy to translate rules from iptables may help many people to "switch" to nftables.