|
Size: 3954
Comment: examples: delete XML exporting example
|
Size: 6348
Comment: add version number to Debian 10 Buster references
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #language en ~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[it/nftables|Italiano]] - [[ru/nftables|Русский]] -~ ---- |
|
| Line 3: | Line 10: |
| Two of the most common uses of nftables is to provide firewall support and NAT. | Two of the most common uses of nftables is to provide firewall support and Network Address Translation (NAT). |
| Line 5: | Line 12: |
| nftables is meant to replace the [[iptables|iptables]] framework. | nftables is the default and recommended firewalling framework in Debian, and it replaces the old [[iptables|iptables]] (and related) tools. |
| Line 11: | Line 18: |
| Current version is v0.6. The Debian packages are up-to-date, also in stable-backports. | '''NOTE: Debian 10 Buster and later use the nftables framework by default'''. |
| Line 13: | Line 20: |
| After years of heavy development, the nftables framework is ready to use in production environments. You are encouraged to migrate from iptables to nftables. |
Starting with Debian 10 Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables. |
| Line 16: | Line 23: |
| Use it! | = Hints = |
| Line 18: | Line 25: |
| = Requirements = | Some hints folks might find interesting in some situations. |
| Line 20: | Line 27: |
| nftables requires a linux '''kernel >= 3.13''', but running a newer '''kernel >= 4.7''' is recommended. | == Use firewalld == |
| Line 22: | Line 29: |
| Not a requirement, but an advice: don't mix nftables and iptables rulesets. | You should consider using a wrapper instead of writing your own firewalling scripts. It is recommended to run [[firewalld]], which integrates pretty well into the system. See also https://firewalld.org/ The firewalld software takes control of all the firewalling setup in your system, so you don't have to know all the details of what is happening in the underground. There are many other system components that can integrate with firewalld, like NetworkManager, libvirt, podman, fail2ban, docker, etc. == Reverting to legacy xtables == You can switch back and forth between iptables-nft and iptables-legacy by means of update-alternatives (same applies to arptables and ebtables). The default starting with Debian 10 Buster: {{{ # update-alternatives --set iptables /usr/sbin/iptables-nft # update-alternatives --set ip6tables /usr/sbin/ip6tables-nft # update-alternatives --set arptables /usr/sbin/arptables-nft # update-alternatives --set ebtables /usr/sbin/ebtables-nft }}} Switching to the legacy version: {{{ # update-alternatives --set iptables /usr/sbin/iptables-legacy # update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy # update-alternatives --set arptables /usr/sbin/arptables-legacy # update-alternatives --set ebtables /usr/sbin/ebtables-legacy }}} == nftables in Debian the easy way == If you want to enable a default firewall in Debian, follow these steps: {{{ # aptitude install nftables # systemctl enable nftables.service }}} This way, nftables is active at boot. By default, rules are located in '''/etc/nftables.conf'''. To stop nftables from doing anything, just drop all the rules: {{{ # nft flush ruleset }}} To prevent nftables from starting at boot: {{{ # systemctl mask nftables.service }}} To uninstall it and purge any traces of nftables in your system: {{{ # aptitude purge nftables }}} |
| Line 31: | Line 92: |
| Yes, the software is now stable enough for that. | Yes. Building new firewalls on top of iptables is discouraged. |
| Line 35: | Line 96: |
| That is a tough task. You should know what you are doing. Translation utilities hadn't been released so far, however they are in the roadmap. Migrating all depends on your concrete situation, ask for advice. |
Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task. |
| Line 39: | Line 98: |
| == Why is nftables not in Debian Jessie? == You can find nftables in jessie-backports :-) At the time of jessie release, the software was not stable. |
Please read: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables |
| Line 45: | Line 101: |
| Line 48: | Line 105: |
| Line 56: | Line 114: |
| This new framework features a new linux kernel subsystem, know as nf_tables. | This new framework features a new linux kernel subsystem, known as nf_tables. |
| Line 59: | Line 117: |
| == I knew the iptables syntax. Is there a new syntax is nftables? == | == Should I mix nftables and iptables/ebtables/arptables rulesets? == No, unless you know what you are doing. == I knew the iptables syntax. Is there a new syntax in nftables? == |
| Line 62: | Line 125: |
| Help in migrating to nftables: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables |
|
| Line 63: | Line 128: |
| Create a basic IPv4 table: | Create a basic IPv4/IPv6 dual-stack table: |
| Line 65: | Line 131: |
| # nft add table filter | # nft add table inet filter |
| Line 68: | Line 134: |
| Create a chain for input traffic IPv4: | Create a chain for input IPv4/IPv6 dual-stack traffic: |
| Line 70: | Line 136: |
| # nft add chain filter input { type filter hook input priority 0; } | # nft add chain inet filter input { type filter hook input priority 0\; } |
| Line 73: | Line 139: |
| A rule to check that all is fine (IPv4): | A rule to check that all is fine (IPv4/IPv6 dual-stack): |
| Line 75: | Line 141: |
| # nft add rule filter input counter accept | # nft add rule inet filter input counter accept |
| Line 80: | Line 146: |
| # nft list table filter | # nft list table inet filter |
| Line 85: | Line 151: |
| # nft flush chain filter input | # nft flush chain inet filter input |
| Line 90: | Line 156: |
| # nft delete chain filter input | # nft delete chain inet filter input |
| Line 95: | Line 161: |
| # nft delete table filter | # nft delete table inet filter |
| Line 98: | Line 164: |
| The family parameter is optional. The default is 'ip': | The family parameter is optional. The default is 'ip'. Other families are 'inet', 'ip6', 'arp', 'bridge' or 'netdev': |
| Line 105: | Line 171: |
| Debian ships an example configuration: | Debian ships example configurations in: |
| Line 107: | Line 173: |
| # nft -f /usr/share/doc/nftables/examples/basic.nft | #/usr/share/doc/nftables/examples/ |
| Line 110: | Line 176: |
| Count traffic on destination port tcp/22: | Count traffic on destination port tcp/22 (IPv4/IPv6 dual-stack): |
| Line 112: | Line 178: |
| # nft add rule filter input tcp dport 22 counter | # nft add rule inet filter input tcp dport 22 counter |
| Line 115: | Line 181: |
| Count and accept traffic in 80/tcp and 443/tcp in new an establised state: | Count and accept traffic in 80/tcp and 443/tcp in new and established state (IPv4/IPv6 dual-stack): |
| Line 117: | Line 183: |
| # nft add rule filter input tcp dport {80, 443} ct state new,established counter accept | # nft add rule inet filter input tcp dport {80, 443} ct state new,established counter accept |
Translation(s): English - Italiano - Русский
nftables is a framework by the Netfilter Project that provides packet filtering, network address translation (NAT) and other packet mangling.
Two of the most common uses of nftables is to provide firewall support and Network Address Translation (NAT).
nftables is the default and recommended firewalling framework in Debian, and it replaces the old iptables (and related) tools.
Contents
- Current status
- Hints
-
FAQ
- What is nftables?
- Should I build a firewall using a nftables?
- Should I replace an iptables firewall with a nftables one?
- Why a new framework?
- What are the major differences?
- Should I mix nftables and iptables/ebtables/arptables rulesets?
- I knew the iptables syntax. Is there a new syntax in nftables?
- new syntax
- external resources
Current status
NOTE: Debian 10 Buster and later use the nftables framework by default.
Starting with Debian 10 Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables.
Hints
Some hints folks might find interesting in some situations.
Use firewalld
You should consider using a wrapper instead of writing your own firewalling scripts. It is recommended to run ?firewalld, which integrates pretty well into the system. See also https://firewalld.org/
The firewalld software takes control of all the firewalling setup in your system, so you don't have to know all the details of what is happening in the underground. There are many other system components that can integrate with firewalld, like NetworkManager, libvirt, podman, fail2ban, docker, etc.
Reverting to legacy xtables
You can switch back and forth between iptables-nft and iptables-legacy by means of update-alternatives (same applies to arptables and ebtables).
The default starting with Debian 10 Buster:
# update-alternatives --set iptables /usr/sbin/iptables-nft # update-alternatives --set ip6tables /usr/sbin/ip6tables-nft # update-alternatives --set arptables /usr/sbin/arptables-nft # update-alternatives --set ebtables /usr/sbin/ebtables-nft
Switching to the legacy version:
# update-alternatives --set iptables /usr/sbin/iptables-legacy # update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy # update-alternatives --set arptables /usr/sbin/arptables-legacy # update-alternatives --set ebtables /usr/sbin/ebtables-legacy
nftables in Debian the easy way
If you want to enable a default firewall in Debian, follow these steps:
# aptitude install nftables # systemctl enable nftables.service
This way, nftables is active at boot. By default, rules are located in /etc/nftables.conf.
To stop nftables from doing anything, just drop all the rules:
# nft flush ruleset
To prevent nftables from starting at boot:
# systemctl mask nftables.service
To uninstall it and purge any traces of nftables in your system:
# aptitude purge nftables
FAQ
What is nftables?
Is the new framework by the Netfilter Project, allowing you to perform packet filtering (firewalling), NAT, mangling and packet classification.
Should I build a firewall using a nftables?
Yes. Building new firewalls on top of iptables is discouraged.
Should I replace an iptables firewall with a nftables one?
Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.
Please read: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
Why a new framework?
The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..
What are the major differences?
In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.
Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.
nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.
In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.
This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.
Should I mix nftables and iptables/ebtables/arptables rulesets?
No, unless you know what you are doing.
I knew the iptables syntax. Is there a new syntax in nftables?
Yes, but the nftables one is better 
Help in migrating to nftables: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
new syntax
Create a basic IPv4/IPv6 dual-stack table:
# nft add table inet filter
Create a chain for input IPv4/IPv6 dual-stack traffic:
# nft add chain inet filter input { type filter hook input priority 0\; }A rule to check that all is fine (IPv4/IPv6 dual-stack):
# nft add rule inet filter input counter accept
Show all the previous:
# nft list table inet filter
Flush rules in chain filter/input:
# nft flush chain inet filter input
Delete the chain filter/input:
# nft delete chain inet filter input
Delete the table filter:
# nft delete table inet filter
The family parameter is optional. The default is 'ip'. Other families are 'inet', 'ip6', 'arp', 'bridge' or 'netdev':
# nft add table ip6 filter # nft add chain ip6 filter input # nft add rule ip6 filter input counter accept
Debian ships example configurations in:
#/usr/share/doc/nftables/examples/
Count traffic on destination port tcp/22 (IPv4/IPv6 dual-stack):
# nft add rule inet filter input tcp dport 22 counter
Count and accept traffic in 80/tcp and 443/tcp in new and established state (IPv4/IPv6 dual-stack):
# nft add rule inet filter input tcp dport {80, 443} ct state new,established counter accept
external resources
Check out the official nftables wiki: http://wiki.nftables.org/