Hey, I'd like to point out right away that this tutorial is not mine - I received it in the mail and thought it would also be useful for members of the Qubes community.

The article comes from this site.

1. Introduction

Nftables appeared in version 3.13 of the Linux kernel, which was released in January 2014. Like UFW and firewalld, nftables is used to configure a firewall. It is the most difficult to configure firewall of all the previously mentioned, so using it is recommended for those with Linux experience (and angelic patience).

2. Installing

Nftables should be installed by default in most Linux distributions. However, if it is not installed, you can use the command:

sudo apt install nftables nft install|441x186

Nftables are managed via the nft command. To view the instruction associated with this command, type man nft in the console. It is worth noting that the provided instruction is quite extensive - it has almost 4000 lines. nft man|682x108

3. Why choose nftables?

Nftables is based primarily on configuration files (*.conf), which can be created through commands using nft. You can define many rules described in tables, which are based on protocols.

The possible families (protocol-related options) are as follows:

ip - intended for IP version 4,
ipv6 - intended for IP version 6,
inet - intended for IP versions 4 and 6,
arp - intended for ARP,
bridge - intended for connections using a bridge.

Nftables also has three types of chain. They are:

filter - a chain intended for packet filtering,
nat - a chain intended for NAT, or address translation,
route - a chain intended for routing packets.

We can also specify the range of packets to which the rules apply as follows:

prerouting - packets that have reached the device and have not been processed by nftables,
input - packets that have reached the device and have been processed by nftables,
forward - packets to be forwarded to another device,
output - outgoing packets,
postrouting - outgoing packets that have been processed by nftables.

4. Relatedness and differences with iptables - syntax

Nftables has a different syntax from iptables, but the commands can be translated from iptables to nftables quite simply. If we want to use a command from iptables in nftables, we can use the iptables-nft command. For example - we want to block traffic on port 80 for packets that come from the address 192.168.25.150.

The command in iptables will look as follows:

sudo iptables -A INPUT -p tcp --source 192.168.25.150 --dport 80 -j DROP nft comm|605x77

To add them to nftables, use the command:

sudo iptables-nft -A INPUT -p tcp --source 192.168.25.150 --dport 80 -j DROP nft comm2|605x108

5. Examples of nftables configuration in practice

Gentoo Linux Wiki contains some practical examples of nftables configuration. They are available here and I recommend you take a look at them J.

Here is an example of a basic firewall configuration for a workstation.

The configuration consists of a few simple assumptions:

Packets sent by the firewall host machine are allowed.
Incoming packets from the LAN are allowed.
Incoming packets from the WAN are discarded unless the LAN device initiated the connection.
Outgoing packets from the LAN are allowed.

The configuration is as follows:

#!/sbin/nft -f

flush ruleset

table ip filter {

           # allow all packets sent by the firewall machine itself

               chain output {

                              type filter hook output priority 100; policy accept;

               }

               # allow LAN to firewall, disallow WAN to firewall

               chain input {

                              type filter hook input priority 0; policy accept;

                              iifname "lan0" accept

                              iifname "wan0" drop

               }

               # allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection

               chain forward {

                              type filter hook forward priority 0; policy drop;

                              iifname "lan0" oifname "wan0" accept

                              iifname "wan0" oifname "lan0" ct state related,established accept

               }

}

The configuration should be saved to a file. For the firewall to work properly, you need to enable packet forwarding from the WAN and LAN with the following command: sysctl -w net.ipv4.ip_forward = 1
To load the configuration from a file, use the command: sudo nft --file [file name]

6. Useful commands - quick sheet

ArchLinux Wiki has a fairly simple and easy-to-read guide related to the nftables command, which is available here

Highlights include:

nft list ruleset - Displays the current set of rules
nft flush ruleset - Removing rules, may leave device without working firewall
nft list tables - Displays the currently defined tables in the system
nft add table [family name] [table name] - Creates a table for a given family (options - ip, arp, etc.) with a given name

7. Summary

Nftables is quite a complex tool and it is no mean feat to describe its functionalities in a short article. That's why I encourage you to test different nftables configurations in a controlled environment in order to get most familiar with the tool. The fact that it is quite easy to translate rules from iptables may help many people to "switch" to nftables.