Shulou(Shulou.com)06/02 Report--

This article will give you a detailed explanation on how to build nftables. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Currently, there is a nftables-compatible iptables-nft backend, but soon, even it is no longer available. In addition, as Red Hat developers have pointed out, it can sometimes convert rules incorrectly. We need to know how to build our own nftables instead of relying on an iptables-to-nftables converter.

In nftables, all address families follow one rule. Unlike iptables, nftables runs in user space, and every module in iptables runs in kernel (space). It rarely needs to update the kernel and comes with new features such as mapping, address families, and dictionaries.

Address family

The address family determines the type of packet to be processed. There are six address families in nftables. They are:

Ip

Ipv6

Inet

Arp

Bridge

Netdev

In nftables, the ipv4 and ipv6 protocols can be merged into a single address family called inet. Therefore, we do not need to specify two rules: one for ipv4 and the other for ipv6. If no address family is specified, it defaults to the ip protocol, or ipv4. Our area of interest is the inet address family, as most home users will use the ipv4 or ipv6 protocol.

Nftables

A typical nftables rule consists of three parts: tables, chains, and rules.

Tables are containers of chains and rules. They are identified by their address family and name. The chain contains the rules required by protocols such as inet/arp/bridge/netdev and has three types: filter, NAT, and routing. Nftables rules can be loaded from a script or typed at the terminal and saved as a rule set.

For home users, the default chain is the filter. The inet series contains the following hooks:

Input

Output

Forward

Pre-routing

Post-routing

Do you use a script or not?

One of the biggest questions is whether we can use firewall scripts. The answer is: it's your choice. Here are some suggestions: if there are hundreds of rules in the firewall, it's best to use scripts, but if you're a typical home user, you can type commands in the terminal and then (save and reboot) load the rule set. Each choice has its own advantages and disadvantages. In this article, we will type them into the terminal to build a firewall.

Nftables uses a program called nft to add, create, list, delete, and load rules. Ensure that nftables is installed with the conntrackd and netfilter-persistent packages and remove iptables using the following command:

Apt-get install nftables conntrackd netfilter-persistentapt-get purge iptables

Nft needs to be run as root or using sudo. Use the following commands to list, refresh, delete, and load scripts, respectively.

Nft list rulesetnft flush rulesetnft delete table inet filter/usr/sbin/nft-f / etc/nftables.conf input policy

Just like iptables, the firewall will consist of three parts: input (input), forward (forward), and output (output). In the terminal, type the following command for the input (input) policy. Before you begin, make sure that the rule set is refreshed. Our default policy will delete everything. We will use the inet address family in the firewall. Add or run the following rules as root or using sudo:

Nft add table inet filternft add chain inet filter input {type filter hook input priority 0; counter\; policy drop\;}

You will notice that there is something called priority 0. This means giving the rule a higher priority. Hooks are usually assigned negative integers, which means higher priority. Each hook has its own priority, and the priority of the filter chain is 0. You can check the nftables Wiki page to see the priority of each hook.

To learn about the network interface in your computer, run the following command:

Ip link show

It will show the installed network interface, one is the local host, the other is the Ethernet port or wireless port. The name of the Ethernet port is as follows: enpXsY, where X and Y are numbers, as is the wireless port. We must allow traffic from the local host and only incoming connections from the Internet.

Nftables has a function called adjudication statement for parsing rules. The adjudication sentences are accept, drop, queue, jump, goto, continue and return. Since this is a simple firewall, we will use accept or drop to process packets.

Nft add rule inet filter input iifname lo acceptnft add rule inet filter input iifname enpXsY ct state new, established, related accept

Next, we must add rules to protect us from covert scanning. Not all covert scans are malicious, but most are. We must protect the network from such scans. The first set of rules lists the TCP flags to test. Among these flags, the second group lists the flags to match the first group.

Nft add rule inet filter input iifname enpXsY tcp flags\ &\ (syn\ | fin\) =\ (syn\ | fin\) dropnft add rule inet filter input iifname enpXsY tcp flags\ &\ (syn\ | rst\) =\ (syn\ | rst\) dropnft add rule inet filter input iifname enpXsY tcp flags\ &\ (fin\ | rst\) =\ (fin\ | rst\) dropnft add rule inet filter input iifname enpXsY tcp flags\ &\ (ack\ | fin\) = fin dropnft add rule inet filter input iifname enpXsY tcp flags\ &\ (ack\ | psh\) = psh dropnft add rule inet filter input iifname enpXsY tcp flags\ &\ (ack\ | urg\) = = urg drop

Remember, we type these commands in the terminal. Therefore, we must add a backslash before some special characters to ensure that the terminal can interpret the slash correctly. If you are using a script, you do not need to do this.

Warning about ICMP

Internet Control message Protocol (ICMP) is a diagnostic tool, so the traffic should not be dropped completely. It would be unwise to block any attempt by ICMP completely, as it would also cause us to stop providing us with error messages. Enable only the most important control messages, such as echo request, echo reply, destination unreachability, and timeout, and reject the rest. Echo requests and echo responses are part of ping. In the input policy, we only allow echo responses, while in the output policy, we only allow echo requests.

Nft add rule inet filter input iifname enpXsY icmp type {echo-reply, destination-unreachable, time-exceeded} limit rate 1/second acceptnft add rule inet filter input iifname enpXsY ip protocol icmp drop

Finally, we record and discard all invalid packets.

Nft add rule inet filter input iifname enpXsY ct state invalid log flags all level info prefix\ "Invalid-Input:\" nft add rule inet filter input iifname enpXsY ct state invalid drop forwarding and output policies

In the forwarding and output policy, by default we discard packets and accept only packets that have established connections.

Nft add chain inet filter forward {type filter hook forward priority 0\; counter\; policy drop\;} nft add rule inet filter forward ct state established, related acceptnft add rule inet filter forward ct state invalid dropnft add chain inet filter output {type filter hook output priority 0\; counter\; policy drop\;}

A typical desktop user only needs ports 80 and 443 to access the Internet. Finally, acceptable ICMP protocols are allowed and discarded when invalid packets are recorded.

Nft add rule inet filter output oifname enpXsY tcp dport {80443} ct state established acceptnft add rule inet filter output oifname enpXsY icmp type {echo-request, destination-unreachable, time-exceeded} limit rate 1/second acceptnft add rule inet filter output oifname enpXsY ip protocol icmp dropnft add rule inet filter output oifname enpXsY ct state invalid log flags all level info prefix\ "Invalid-Output:\" nft add rule inet filter output oifname enpXsY ct state invalid drop

Now we must save our rule set, or it will be lost when we restart. To do this, run the following command:

Sudo nft list ruleset. > / etc/nftables.conf

We need to load nftables at boot time, and the following will enable the nftables service in systemd:

Sudo systemctl enable nftables

Next, edit the nftables unit file to remove the Execstop option to avoid refreshing the rule set each time you boot. This file is usually located in / etc/systemd/system/sysinit.target.wants/nftables.service. Now restart nftables:

Sudo systemctl restart nftables logs in rsyslog

When you record dropped packets, they go directly into syslog, which makes it very difficult to read the log file. It is best to redirect the firewall log to a separate file. Create a directory called nftables in the / var/log directory, and create two files named input.log and output.log in it to store the input and output logs, respectively. Make sure rsyslog is installed on the system. Now go to / etc/rsyslog.d and create a file called nftables.conf, which reads as follows:

: msg,regex, "Invalid-Input:"-/ var/log/nftables/Input.log:msg,regex, "Invalid-Output:"-/ var/log/nftables/Output.log & stop

Now, we must make sure that the log is manageable. To do this, create another file called nftables in / etc/logrotate.d with the following code:

/ var/log/nftables/* {rotate 5 daily maxsize 50m missingok notifempty delaycompress compress postrotate invoke-rc.d rsyslog rotate > / dev/null endscript}

Restart nftables. Now, you can check your rule set. If you find it troublesome to type each command in the terminal, you can use a script to load the nftables firewall.

This is the end of the article on "how to build nftables". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.