Differences between revisions 21 and 24 (spanning 3 versions)
Revision 21 as of 2016-12-24 13:59:39
Size: 4072
Comment: add link to nftables wiki about moving from iptables to nftables
Revision 24 as of 2017-08-18 12:38:57
Size: 4091
Comment: replaces already!
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
nftables is meant to replace the [[iptables|iptables]] framework. nftables replaces the [[iptables|iptables]] framework.
Line 11: Line 11:
Current version is v0.6. The Debian packages are up-to-date, also in stable-backports. Current version is v0.7. The Debian packages are up-to-date, also in stable-backports.
Line 20: Line 20:
nftables requires a linux '''kernel >= 3.13''', but running a newer '''kernel >= 4.7''' is recommended. nftables requires a linux '''kernel >= 3.13''', but running a newer '''kernel >= 4.10''' is recommended.
Line 67: Line 67:
# nft add table filter # nft add table inet filter
Line 72: Line 72:
# nft add chain filter input { type filter hook input priority 0; } # nft add chain inet filter input { type filter hook input priority 0; }
Line 77: Line 77:
# nft add rule filter input counter accept # nft add rule inet filter input counter accept
Line 82: Line 82:
# nft list table filter # nft list table inet filter
Line 87: Line 87:
# nft flush chain filter input # nft flush chain inet filter input
Line 92: Line 92:
# nft delete chain filter input # nft delete chain inet filter input
Line 97: Line 97:
# nft delete table filter # nft delete table inet filter
Line 107: Line 107:
Debian ships an example configuration: Debian ships example configurations in:
Line 109: Line 109:
# nft -f /usr/share/doc/nftables/examples/basic.nft #/usr/share/doc/nftables/examples/
Line 114: Line 114:
# nft add rule filter input tcp dport 22 counter # nft add rule inet filter input tcp dport 22 counter
Line 119: Line 119:
# nft add rule filter input tcp dport {80, 443} ct state new,established counter accept # nft add rule inet filter input tcp dport {80, 443} ct state new,established counter accept

nftables is a framework by the Netfilter Project that provides packet filtering, network address translation (NAT) and other packet mangling.

Two of the most common uses of nftables is to provide firewall support and NAT.

nftables replaces the iptables framework.

Current status

Current version is v0.7. The Debian packages are up-to-date, also in stable-backports.

After years of heavy development, the nftables framework is ready to use in production environments. You are encouraged to migrate from iptables to nftables.

Use it!

Requirements

nftables requires a linux kernel >= 3.13, but running a newer kernel >= 4.10 is recommended.

Not a requirement, but an advice: don't mix nftables and iptables rulesets.

FAQ

What is nftables?

Is the new framework by the Netfilter Project, allowing you to perform packet filtering (firewalling), NAT, mangling and packet classification.

Should I build a firewall using a nftables?

Yes, the software is now stable enough for that.

Should I replace an iptables firewall with a nftables one?

That is a tough task. You should know what you are doing. Translation utilities hadn't been released so far, however they are in the roadmap. Migrating all depends on your concrete situation, ask for advice.

Why is nftables not in Debian Jessie?

You can find nftables in jessie-backports :-) At the time of jessie release, the software was not stable.

Why a new framework?

The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..

What are the major differences?

In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.

Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.

nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.

In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.

This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.

I knew the iptables syntax. Is there a new syntax is nftables?

Yes, but the nftables one is better :-)

Help in migrating to nftables: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

new syntax

Create a basic IPv4 table:

# nft add table inet filter

Create a chain for input traffic IPv4:

# nft add chain inet filter input { type filter hook input priority 0; }

A rule to check that all is fine (IPv4):

# nft add rule inet filter input counter accept

Show all the previous:

# nft list table inet filter

Flush rules in chain filter/input:

# nft flush chain inet filter input

Delete the chain filter/input:

# nft delete chain inet filter input

Delete the table filter:

# nft delete table inet filter

The family parameter is optional. The default is 'ip':

# nft add table ip6 filter
# nft add chain ip6 filter input
# nft add rule ip6 filter input counter accept

Debian ships example configurations in:

#/usr/share/doc/nftables/examples/

Count traffic on destination port tcp/22:

# nft add rule inet filter input tcp dport 22 counter

Count and accept traffic in 80/tcp and 443/tcp in new an establised state:

# nft add rule inet filter input tcp dport {80, 443} ct state new,established counter accept

external resources

Check out the official nftables wiki: http://wiki.nftables.org/


CategorySystemAdministration