Nftables : Basic Operation2023/07/13

This is the Basic Operation of Nftables.

[1]

The multiple networking levels are abstracted into families on nftables architecture like follows.

Family	Description
ip	This family processes IPv4 traffic/packets. The legacy [iptables] is the equivalent.
ip6	This family processes IPv6 traffic/packets. The legacy [ip6tables] is the equivalent.
inet	This family processes both IPv4 and IPv6 traffic/packets as dual stack support.
arp	This family processes ARP-level traffic, before any L3 handling is done by the kernel. The legacy [arptables] is the equivalent.
bridge	This family processes traffic/packets traversing bridges. The legacy [ebtables] is the equivalent. However there is no nf_conntrack integration for it.
netdev	This family is different from the others in that it is used to create base chains attached to a single network interface. Such base chains see all network traffic on the specified interface, with no assumptions about L2 or L3 protocols. There is no legacy ***tables equivalent to this family.

[2]	There is no filtering rule by default on nftables, so start with creating tables. ⇒ nft add table [family] [table name]

# show ruleset (no filtering rule by default)

root@dlp:~#

nft list ruleset

table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

# flush default rule above and add [firewall01] table in [inet] family

root@dlp:~#

nft flush ruleset

root@dlp:~#

nft add table inet firewall01

# show tables of [inet] family

root@dlp:~#

nft list tables inet

table inet firewall01

# show ruleset

root@dlp:~#

nft list ruleset

table inet firewall01 {
}

# to delete a table, run like follows

root@dlp:~#

nft delete table inet firewall01

[3]

Next, add chains to tables.

⇒ nft add chain [family] [table name] [chain name] { type [type] hook [hook} priority [priority] \; }

Available [type]s and [hook]s are follows. For [priority], it is generall integer value and the smaller value is high priority.

Type	Possible to use with
filter	all [family], [hook]
route	[ip], [ip6], [inet] family [output] hook
nat	[ip], [ip6], [inet] family [input], [output], [prerouting]. [postrouting] hook

Hook	Possible to use with
input	[ip], [ip6], [inet], [apr], [bridge] family [filter], [nat] type
output	[ip], [ip6], [inet], [apr], [bridge] family [filter], [route], [nat] type
forward	[ip], [ip6], [inet], [bridge] family [filter] type
prerouting	[ip], [ip6], [inet], [bridge] family [filter], [nat] type
postrouting	[ip], [ip6], [inet], [bridge] family [filter], [nat] type
ingress	[netdev] family [filter] type

# with [filter] type, [input] hook, [0] priority
# add [filter_INPUT] chain to [firewall01] table in [inet] family

root@dlp:~#

nft add chain inet firewall01 filter_INPUT { type filter hook input priority 0 \;}

root@dlp:~#

nft list ruleset

table inet firewall01 {
        chain filter_INPUT {
                type filter hook input priority filter; policy accept;
        }
}

# to delete a chain, run like follows

root@dlp:~#

nft delete chain inet firewall01 filter_INPUT

root@dlp:~#

nft list ruleset

table inet firewall01 {
}

[4]	After adding tables and chains, set rules to them.

root@dlp:~#

nft list ruleset

table inet firewall01 {
        chain filter_INPUT {
                type filter hook input priority filter; policy accept;
        }
}

# for example, add a rule to allow packets that state connection is [related, established]

root@dlp:~#

nft add rule inet firewall01 filter_INPUT ct state related,established accept

root@dlp:~#

nft list table inet firewall01

table inet firewall01 {
        chain filter_INPUT {
                type filter hook input priority filter; policy accept;
                ct state established,related accept
        }
}

# for example, add a rule to allow packets to loopback interface

root@dlp:~#

nft add rule inet firewall01 filter_INPUT iif lo accept

root@dlp:~#

nft list table inet firewall01

table inet firewall01 {
        chain filter_INPUT {
                type filter hook input priority filter; policy accept;
                ct state established,related accept
                iif "lo" accept
        }
}

# for example, add a rule to drop packets except allowed packets above

root@dlp:~#

nft add rule inet firewall01 filter_INPUT drop

root@dlp:~#

nft -a list table inet firewall01

table inet firewall01 { # handle 2
        chain filter_INPUT { # handle 1
                type filter hook input priority filter; policy accept;
                ct state established,related accept # handle 4
                iif "lo" accept # handle 5
                drop # handle 6
        }
}

# for example, add a rule next to the line [handle 5] to allow packets to 22 port with [new, untracked] connection state

root@dlp:~#

nft add rule inet firewall01 filter_INPUT handle 5 tcp dport 22 ct state { new,untracked } accept

root@dlp:~#

nft -a list table inet firewall01

table inet firewall01 { # handle 2
        chain filter_INPUT { # handle 1
                type filter hook input priority filter; policy accept;
                ct state established,related accept # handle 4
                iif "lo" accept # handle 5
                tcp dport 22 ct state { new, untracked } accept # handle 8
                drop # handle 6
        }
}

# for example, add a rule next to the line [handle 8] to allow packets that metadata is [icmp,ipv6-icmp]

root@dlp:~#

nft add rule inet firewall01 filter_INPUT handle 8 meta l4proto { icmp,ipv6-icmp } accept

root@dlp:~#

nft -a list table inet firewall01

table inet firewall01 { # handle 2
        chain filter_INPUT { # handle 1
                type filter hook input priority filter; policy accept;
                ct state established,related accept # handle 4
                iif "lo" accept # handle 5
                tcp dport 22 ct state { new, untracked } accept # handle 8
                meta l4proto { icmp, ipv6-icmp } accept # handle 10
                drop # handle 6
        }
}

# to delete a rule, specify the [handle] number of a line you'd like to delete and run the command below

root@dlp:~#

nft delete rule inet firewall01 filter_INPUT handle 8

root@dlp:~#

nft -a list table inet firewall01

table inet firewall01 { # handle 2
        chain filter_INPUT { # handle 1
                type filter hook input priority filter; policy accept;
                ct state established,related accept # handle 4
                iif "lo" accept # handle 5
                meta l4proto { icmp, ipv6-icmp } accept # handle 10
                drop # handle 6
        }
}

Matched Content