Debian 12 bookworm
Sponsored Link

Nftables : Basic Operation2023/07/13

 
This is the Basic Operation of Nftables.
[1]
The multiple networking levels are abstracted into families on nftables architecture like follows.
Family Description
ip This family processes IPv4 traffic/packets. The legacy [iptables] is the equivalent.
ip6 This family processes IPv6 traffic/packets. The legacy [ip6tables] is the equivalent.
inet This family processes both IPv4 and IPv6 traffic/packets as dual stack support.
arp This family processes ARP-level traffic, before any L3 handling is done by the kernel. The legacy [arptables] is the equivalent.
bridge This family processes traffic/packets traversing bridges. The legacy [ebtables] is the equivalent.
However there is no nf_conntrack integration for it.
netdev This family is different from the others in that it is used to create base chains attached to a single network interface. Such base chains see all network traffic on the specified interface, with no assumptions about L2 or L3 protocols. There is no legacy ***tables equivalent to this family.

[2]
There is no filtering rule by default on nftables, so start with creating tables.
⇒ nft add table [family] [table name]
# show ruleset (no filtering rule by default)

root@dlp:~#
nft list ruleset

table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

# flush default rule above and add [firewall01] table in [inet] family

root@dlp:~#
nft flush ruleset

root@dlp:~#
nft add table inet firewall01

# show tables of [inet] family

root@dlp:~#
nft list tables inet

table inet firewall01
# show ruleset

root@dlp:~#
nft list ruleset

table inet firewall01 {
}


# to delete a table, run like follows

root@dlp:~#
nft delete table inet firewall01

[3]
Next, add chains to tables.
⇒ nft add chain [family] [table name] [chain name] { type [type] hook [hook} priority [priority] \; }
Available [type]s and [hook]s are follows. For [priority], it is generall integer value and the smaller value is high priority.
Type Possible to use with
filter all [family], [hook]
route [ip], [ip6], [inet] family
[output] hook
nat [ip], [ip6], [inet] family
[input], [output], [prerouting]. [postrouting] hook

Hook Possible to use with
input [ip], [ip6], [inet], [apr], [bridge] family
[filter], [nat] type
output [ip], [ip6], [inet], [apr], [bridge] family
[filter], [route], [nat] type
forward [ip], [ip6], [inet], [bridge] family
[filter] type
prerouting [ip], [ip6], [inet], [bridge] family
[filter], [nat] type
postrouting [ip], [ip6], [inet], [bridge] family
[filter], [nat] type
ingress [netdev] family
[filter] type

# with [filter] type, [input] hook, [0] priority
# add [filter_INPUT] chain to [firewall01] table in [inet] family

root@dlp:~#
nft add chain inet firewall01 filter_INPUT { type filter hook input priority 0 \;}
root@dlp:~#
nft list ruleset

table inet firewall01 {
        chain filter_INPUT {
                type filter hook input priority filter; policy accept;
        }
}


# to delete a chain, run like follows

root@dlp:~#
nft delete chain inet firewall01 filter_INPUT

root@dlp:~#
nft list ruleset

table inet firewall01 {
}
[4] After adding tables and chains, set rules to them.
root@dlp:~#
nft list ruleset

table inet firewall01 {
        chain filter_INPUT {
                type filter hook input priority filter; policy accept;
        }
}

# for example, add a rule to allow packets that state connection is [related, established]

root@dlp:~#
nft add rule inet firewall01 filter_INPUT ct state related,established accept
root@dlp:~#
nft list table inet firewall01

table inet firewall01 {
        chain filter_INPUT {
                type filter hook input priority filter; policy accept;
                ct state established,related accept
        }
}

# for example, add a rule to allow packets to loopback interface

root@dlp:~#
nft add rule inet firewall01 filter_INPUT iif lo accept
root@dlp:~#
nft list table inet firewall01

table inet firewall01 {
        chain filter_INPUT {
                type filter hook input priority filter; policy accept;
                ct state established,related accept
                iif "lo" accept
        }
}

# for example, add a rule to drop packets except allowed packets above

root@dlp:~#
nft add rule inet firewall01 filter_INPUT drop
root@dlp:~#
nft -a list table inet firewall01

table inet firewall01 { # handle 2
        chain filter_INPUT { # handle 1
                type filter hook input priority filter; policy accept;
                ct state established,related accept # handle 4
                iif "lo" accept # handle 5
                drop # handle 6
        }
}

# for example, add a rule next to the line [handle 5] to allow packets to 22 port with [new, untracked] connection state

root@dlp:~#
nft add rule inet firewall01 filter_INPUT handle 5 tcp dport 22 ct state { new,untracked } accept
root@dlp:~#
nft -a list table inet firewall01
table inet firewall01 { # handle 2
        chain filter_INPUT { # handle 1
                type filter hook input priority filter; policy accept;
                ct state established,related accept # handle 4
                iif "lo" accept # handle 5
                tcp dport 22 ct state { new, untracked } accept # handle 8
                drop # handle 6
        }
}

# for example, add a rule next to the line [handle 8] to allow packets that metadata is [icmp,ipv6-icmp]

root@dlp:~#
nft add rule inet firewall01 filter_INPUT handle 8 meta l4proto { icmp,ipv6-icmp } accept
root@dlp:~#
nft -a list table inet firewall01

table inet firewall01 { # handle 2
        chain filter_INPUT { # handle 1
                type filter hook input priority filter; policy accept;
                ct state established,related accept # handle 4
                iif "lo" accept # handle 5
                tcp dport 22 ct state { new, untracked } accept # handle 8
                meta l4proto { icmp, ipv6-icmp } accept # handle 10
                drop # handle 6
        }
}


# to delete a rule, specify the [handle] number of a line you'd like to delete and run the command below

root@dlp:~#
nft delete rule inet firewall01 filter_INPUT handle 8
root@dlp:~#
nft -a list table inet firewall01

table inet firewall01 { # handle 2
        chain filter_INPUT { # handle 1
                type filter hook input priority filter; policy accept;
                ct state established,related accept # handle 4
                iif "lo" accept # handle 5
                meta l4proto { icmp, ipv6-icmp } accept # handle 10
                drop # handle 6
        }
}
Matched Content