Differences between revisions 28 and 30 (spanning 2 versions)
Revision 28 as of 2018-01-18 19:35:43
Size: 4015
Editor: ?GeertStappers
Comment: that 'an' is an 'and'
Revision 30 as of 2018-11-16 09:33:08
Size: 4133
Comment: refresh
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
Current version is v0.8. The Debian packages are up-to-date in unstable, also in stable (Stretch) the package is based on v0.7. Previous stable (Jessie) had it in backports. Current version is v0.9. The Debian packages are up-to-date in unstable, also in stable (Stretch) the package is based on v0.7. Previous stable (Jessie) had it in backports.
Line 13: Line 13:
After years of heavy development, the nftables framework is ready to use
in production environments. You are encouraged to migrate from iptables to nftables.

Use it!
Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem).
This also affects ip6tables/arptables and ebtables.
Line 22: Line 20:
Not a requirement, but an advice: don't mix nftables and iptables rulesets. Not a requirement, but an advice: don't mix nftables and iptables rulesets unless you know what you are doing.
Line 31: Line 29:
Yes, the software is now stable enough for that. Yes. Building new firewalls on top of iptables is discouraged.
Line 35: Line 33:
Yes, nftables is a replacement for iptables. There are some tools in place to ease in this task. Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.

nftables is a framework by the Netfilter Project that provides packet filtering, network address translation (NAT) and other packet mangling.

Two of the most common uses of nftables is to provide firewall support and NAT.

nftables replaces the iptables framework.

Current status

Current version is v0.9. The Debian packages are up-to-date in unstable, also in stable (Stretch) the package is based on v0.7. Previous stable (Jessie) had it in backports.

Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables/arptables and ebtables.

Requirements

nftables requires a linux kernel >= 3.13, but running a newer kernel >= 4.10 is recommended.

Not a requirement, but an advice: don't mix nftables and iptables rulesets unless you know what you are doing.

FAQ

What is nftables?

Is the new framework by the Netfilter Project, allowing you to perform packet filtering (firewalling), NAT, mangling and packet classification.

Should I build a firewall using a nftables?

Yes. Building new firewalls on top of iptables is discouraged.

Should I replace an iptables firewall with a nftables one?

Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.

Please read: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

Why a new framework?

The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..

What are the major differences?

In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.

Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.

nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.

In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.

This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.

I knew the iptables syntax. Is there a new syntax is nftables?

Yes, but the nftables one is better :-)

Help in migrating to nftables: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

new syntax

Create a basic IPv4 table:

# nft add table inet filter

Create a chain for input traffic IPv4:

# nft add chain inet filter input { type filter hook input priority 0; }

A rule to check that all is fine (IPv4):

# nft add rule inet filter input counter accept

Show all the previous:

# nft list table inet filter

Flush rules in chain filter/input:

# nft flush chain inet filter input

Delete the chain filter/input:

# nft delete chain inet filter input

Delete the table filter:

# nft delete table inet filter

The family parameter is optional. The default is 'ip':

# nft add table ip6 filter
# nft add chain ip6 filter input
# nft add rule ip6 filter input counter accept

Debian ships example configurations in:

#/usr/share/doc/nftables/examples/

Count traffic on destination port tcp/22:

# nft add rule inet filter input tcp dport 22 counter

Count and accept traffic in 80/tcp and 443/tcp in new and establised state:

# nft add rule inet filter input tcp dport {80, 443} ct state new,established counter accept

external resources

Check out the official nftables wiki: http://wiki.nftables.org/


CategorySystemAdministration