4072
Comment: add link to nftables wiki about moving from iptables to nftables
|
4091
replaces already!
|
Deletions are marked like this. | Additions are marked like this. |
Line 5: | Line 5: |
nftables is meant to replace the [[iptables|iptables]] framework. | nftables replaces the [[iptables|iptables]] framework. |
Line 11: | Line 11: |
Current version is v0.6. The Debian packages are up-to-date, also in stable-backports. | Current version is v0.7. The Debian packages are up-to-date, also in stable-backports. |
Line 20: | Line 20: |
nftables requires a linux '''kernel >= 3.13''', but running a newer '''kernel >= 4.7''' is recommended. | nftables requires a linux '''kernel >= 3.13''', but running a newer '''kernel >= 4.10''' is recommended. |
Line 67: | Line 67: |
# nft add table filter | # nft add table inet filter |
Line 72: | Line 72: |
# nft add chain filter input { type filter hook input priority 0; } | # nft add chain inet filter input { type filter hook input priority 0; } |
Line 77: | Line 77: |
# nft add rule filter input counter accept | # nft add rule inet filter input counter accept |
Line 82: | Line 82: |
# nft list table filter | # nft list table inet filter |
Line 87: | Line 87: |
# nft flush chain filter input | # nft flush chain inet filter input |
Line 92: | Line 92: |
# nft delete chain filter input | # nft delete chain inet filter input |
Line 97: | Line 97: |
# nft delete table filter | # nft delete table inet filter |
Line 107: | Line 107: |
Debian ships an example configuration: | Debian ships example configurations in: |
Line 109: | Line 109: |
# nft -f /usr/share/doc/nftables/examples/basic.nft | #/usr/share/doc/nftables/examples/ |
Line 114: | Line 114: |
# nft add rule filter input tcp dport 22 counter | # nft add rule inet filter input tcp dport 22 counter |
Line 119: | Line 119: |
# nft add rule filter input tcp dport {80, 443} ct state new,established counter accept | # nft add rule inet filter input tcp dport {80, 443} ct state new,established counter accept |
nftables is a framework by the Netfilter Project that provides packet filtering, network address translation (NAT) and other packet mangling.
Two of the most common uses of nftables is to provide firewall support and NAT.
nftables replaces the iptables framework.
Current status
Current version is v0.7. The Debian packages are up-to-date, also in stable-backports.
After years of heavy development, the nftables framework is ready to use in production environments. You are encouraged to migrate from iptables to nftables.
Use it!
Requirements
nftables requires a linux kernel >= 3.13, but running a newer kernel >= 4.10 is recommended.
Not a requirement, but an advice: don't mix nftables and iptables rulesets.
FAQ
What is nftables?
Is the new framework by the Netfilter Project, allowing you to perform packet filtering (firewalling), NAT, mangling and packet classification.
Should I build a firewall using a nftables?
Yes, the software is now stable enough for that.
Should I replace an iptables firewall with a nftables one?
That is a tough task. You should know what you are doing. Translation utilities hadn't been released so far, however they are in the roadmap. Migrating all depends on your concrete situation, ask for advice.
Why is nftables not in Debian Jessie?
You can find nftables in jessie-backports At the time of jessie release, the software was not stable.
Why a new framework?
The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..
What are the major differences?
In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.
Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.
nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.
In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.
This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.
I knew the iptables syntax. Is there a new syntax is nftables?
Yes, but the nftables one is better
Help in migrating to nftables: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
new syntax
Create a basic IPv4 table:
# nft add table inet filter
Create a chain for input traffic IPv4:
# nft add chain inet filter input { type filter hook input priority 0; }
A rule to check that all is fine (IPv4):
# nft add rule inet filter input counter accept
Show all the previous:
# nft list table inet filter
Flush rules in chain filter/input:
# nft flush chain inet filter input
Delete the chain filter/input:
# nft delete chain inet filter input
Delete the table filter:
# nft delete table inet filter
The family parameter is optional. The default is 'ip':
# nft add table ip6 filter # nft add chain ip6 filter input # nft add rule ip6 filter input counter accept
Debian ships example configurations in:
#/usr/share/doc/nftables/examples/
Count traffic on destination port tcp/22:
# nft add rule inet filter input tcp dport 22 counter
Count and accept traffic in 80/tcp and 443/tcp in new an establised state:
# nft add rule inet filter input tcp dport {80, 443} ct state new,established counter accept
external resources
Check out the official nftables wiki: http://wiki.nftables.org/