nftables for us Linux Administrators — a simple guide
When it comes to Linux, iptables has long been the trusted services, the robust firewall protecting our systems for years. But time brings change and innovation, and today I will introduce you to nftables, the new King Arthur’s knight in shining armor, all set to replace the age-old iptables.
Why should you care about nftables? Well, nftables not only encompasses all the features of iptables but goes a step further by introducing new ones that enhance flexibility, efficiency, and simplicity in firewall management. Let’s dive in and see how we can use nftables.
Installation and Setup of nftables
Setting up nftables is a breeze. Open your terminal and enter the following commands:
sudo apt update
sudo apt install nftables
These commands ensure your system is up to date before installing nftables.
To verify if nftables is installed and running, type:
sudo systemctl status nftables
If nftables is not running, don’t fret! Just enter the following commands to start it up and enable it to boot at startup:
sudo systemctl start nftables
sudo systemctl enable nftables
Verify the status once more to ensure everything is working as it should:
sudo systemctl status nftables
Working with nftables: Creating Rules
nftables boasts a robust rule-set that can be tailored to specific needs. For instance, you might want to allow incoming traffic only on specific ports like SSH (port 22). You can easily do this by adding the relevant rule in nftables.
Let’s see how we can allow only SSH (port 22), HTTP (port 80), and HTTPS (port 443) traffic. Enter the following commands:
sudo nft add table inet filter
sudo nft add chain inet filter input { type filter hook input priority filter \; }
sudo nft add chain inet filter forward { type filter hook forward priority filter \; }
sudo nft add chain inet filter output { type filter hook output priority filter \; }
sudo nft add rule inet filter input tcp dport 22 accept
sudo nft add rule inet filter input tcp dport 80 accept
sudo nft add rule inet filter input tcp dport 443 accept
input tcp dport 22 accept, for ccepts incoming TCP traffic on port 22 (SSH).
If the server is not used as router or gateway, we can have the policy drop for it.
sudo nft add chain inet filter forward { type filter hook forward priority filter \; policy drop \; }
Ensuring Rule Persistence
It’s great that we have set up some rules, but what about making them persist through system reboots? nftables has got us covered!
Save the rules to a file, typically /etc/nftables.conf, using the following command:
sudo nft list ruleset > /etc/nftables.conf
Check your ruleset anytime using:
sudo nft list ruleset
Your machine’s security is as good as your rules! If you see something like this, you can rest assured that your machine is secure and only accepting traffic on ports 22, 80, and 443.
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
tcp dport 22 drop
tcp dport 80 accept
tcp dport 443 accept
}
chain forward {
type filter hook forward priority filter; policy drop;
}
chain output {
type filter hook output priority filter; policy accept;}
}
Modify the rules in nftables
To modify the rules in nftables to close port 22 (SSH), you can simply remove the line that accepts incoming traffic on port 22 from the “input” chain. Here’s how you can do it:
sudo nano /etc/nftables.conf
After doing changes, it is good to restart the nftables
sudo systemctl restart nftables
sudo nft list ruleset
Locate the “input” chain in the “filter” table, and remove the line that accepts incoming traffic on port 22 (TCP).
And that’s it! You’ve embarked on your journey to mastering nftables. Embrace the change, explore more, and remember — your system security is no more an iptables game, it’s an nftables play now!