Differences between revisions 3 and 42 (spanning 39 versions)
Revision 3 as of 2014-09-15 09:53:07
Size: 3778
Comment: delete double title
Revision 42 as of 2019-11-11 02:48:41
Size: 5552
Comment: Добавлен русский язык
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#language en

~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - - [[ru/nftables|Русский]] -~

----
Line 5: Line 11:
nftables is meant to replace the [[iptables|iptables]] framework. nftables replaces the [[iptables|iptables]] framework.

<<TableOfContents>>
Line 9: Line 17:
nftables is under heavy development. '''NOTE: Debian Buster uses the nftables framework by default'''.
Line 11: Line 19:
For a production firewall, you should keep using [[iptables]]. Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem).
This also affects ip6tables, arptables and ebtables.
Line 13: Line 22:
However, you would like to start testing nftables: You can switch back and forth between iptables-nft and iptables-legacy by means of update-alternatives (same applies to arptables and ebtables).
Line 15: Line 24:
 * the new syntax and engine
 * get in touch with new workflows
 * report bug and request features
The default starting with Debian Buster:
{{{
# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft
}}}
Line 19: Line 32:
Currently, lots of bugs-fixes and features are added in each new release. Switching to the legacy version:
{{{
# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
# update-alternatives --set arptables /usr/sbin/arptables-legacy
# update-alternatives --set ebtables /usr/sbin/ebtables-legacy
}}}
Line 21: Line 40:
= Requirements = = nftables in Debian the easy way =
Line 23: Line 42:
nftables requires a linux '''kernel >= 3.13''', but running a newer kernel is recommended. If you want to enable a default firewall in Debian, follow these steps:
Line 25: Line 44:
Also, nftables requires libnftnl, a public library which provides a low level interface to the kernel subsystem. {{{
# aptitude install nftables
# systemctl enable nftables.service
}}}
Line 27: Line 49:
Aptitude will take care of all dependencies. This way, nftables is active at boot. By default, rules are located in '''/etc/nftables.conf'''.

To stop nftables from doing anything, just drop all the rules:

{{{
# nft flush ruleset
}}}

To prevent nftables from starting at boot:

{{{
# systemctl mask nftables.service
}}}

To uninstall it and purge any traces of nftables in your system:

{{{
# aptitude purge nftables
}}}

You should consider using a wrapper instead of writing your own firewalling scripts. It is recommended to run [[firewalld]], which integrates pretty well into the system.
Line 31: Line 73:
=== What is nftables? === == What is nftables? ==
Line 34: Line 76:
=== Why a new framework? === == Should I build a firewall using a nftables? ==

Yes. Building new firewalls on top of iptables is discouraged.

== Should I replace an iptables firewall with a nftables one? ==

Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.

Please read: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

== Why a new framework? ==
Line 37: Line 90:
=== Should I stop working with iptables to build a firewall? ===
No. Currently, nftables is in an early development state. Nowadays, iptables is more stable.
== What are the major differences? ==
Line 40: Line 92:
=== Then, Why should I use nftables? ===
You can start testing what is meant to become the future of firewalls on Linux. Report bugs, request features and get in touch with the latest in this technology.

=== I knew the iptables syntax. Is there a new syntax is nftables? ===
Yes, but the nftables is better :-)

=== What are the major differences? ===
Line 51: Line 96:
nftables includes built-in data sets capabilities. In iptables, this is not possible, and there are a separated tool: [[ipset|ipset]]. nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: [[ipset|ipset]].
Line 55: Line 100:
This new framework features a new linux kernel subsystem, known as nf_tables.
The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.

== Should I mix nftables and iptables/ebtables/arptables rulesets? ==

No, unless you know what you are doing.

== I knew the iptables syntax. Is there a new syntax in nftables? ==

Yes, but the nftables one is better :-)

Help in migrating to nftables: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
Line 56: Line 114:
Line 58: Line 117:
# nft add table filter # nft add table inet filter
Line 63: Line 122:
# nft add chain filter input { type filter hook input priority 0; } # nft add chain inet filter input { type filter hook input priority 0\; }
Line 68: Line 127:
# nft add rule filter input counter accept # nft add rule inet filter input counter accept
Line 73: Line 132:
# nft list table filter # nft list table inet filter
Line 78: Line 137:
# nft flush chain filter input # nft flush chain inet filter input
Line 83: Line 142:
# nft delete chain filter input # nft delete chain inet filter input
Line 88: Line 147:
# nft delete table filter # nft delete table inet filter
Line 98: Line 157:
Debian ships an example configuration: Debian ships example configurations in:
Line 100: Line 159:
# nft -f /usr/share/doc/nftables/examples/basic.nft #/usr/share/doc/nftables/examples/
Line 105: Line 164:
# nft add rule filter input tcp dport 22 counter # nft add rule inet filter input tcp dport 22 counter
Line 108: Line 167:
Count and accept traffic in 80/tcp and 443/tcp in new an establised state: Count and accept traffic in 80/tcp and 443/tcp in new and establised state:
Line 110: Line 169:
# nft add rule filter input tcp dport {80, 443} ct state new,established counter accept
}}}

Export the ruleset in XML format (importing not yet supported):
{{{
nft export xml
# nft add rule inet filter input tcp dport {80, 443} ct state new,established counter accept

Translation(s): English - - Русский


nftables is a framework by the Netfilter Project that provides packet filtering, network address translation (NAT) and other packet mangling.

Two of the most common uses of nftables is to provide firewall support and NAT.

nftables replaces the iptables framework.

Current status

NOTE: Debian Buster uses the nftables framework by default.

Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables.

You can switch back and forth between iptables-nft and iptables-legacy by means of update-alternatives (same applies to arptables and ebtables).

The default starting with Debian Buster:

# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft

Switching to the legacy version:

# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
# update-alternatives --set arptables /usr/sbin/arptables-legacy
# update-alternatives --set ebtables /usr/sbin/ebtables-legacy

nftables in Debian the easy way

If you want to enable a default firewall in Debian, follow these steps:

# aptitude install nftables
# systemctl enable nftables.service

This way, nftables is active at boot. By default, rules are located in /etc/nftables.conf.

To stop nftables from doing anything, just drop all the rules:

# nft flush ruleset

To prevent nftables from starting at boot:

# systemctl mask nftables.service

To uninstall it and purge any traces of nftables in your system:

# aptitude purge nftables

You should consider using a wrapper instead of writing your own firewalling scripts. It is recommended to run ?firewalld, which integrates pretty well into the system.

FAQ

What is nftables?

Is the new framework by the Netfilter Project, allowing you to perform packet filtering (firewalling), NAT, mangling and packet classification.

Should I build a firewall using a nftables?

Yes. Building new firewalls on top of iptables is discouraged.

Should I replace an iptables firewall with a nftables one?

Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.

Please read: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

Why a new framework?

The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..

What are the major differences?

In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.

Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.

nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.

In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.

This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.

Should I mix nftables and iptables/ebtables/arptables rulesets?

No, unless you know what you are doing.

I knew the iptables syntax. Is there a new syntax in nftables?

Yes, but the nftables one is better :-)

Help in migrating to nftables: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

new syntax

Create a basic IPv4 table:

# nft add table inet filter

Create a chain for input traffic IPv4:

# nft add chain inet filter input { type filter hook input priority 0\; }

A rule to check that all is fine (IPv4):

# nft add rule inet filter input counter accept

Show all the previous:

# nft list table inet filter

Flush rules in chain filter/input:

# nft flush chain inet filter input

Delete the chain filter/input:

# nft delete chain inet filter input

Delete the table filter:

# nft delete table inet filter

The family parameter is optional. The default is 'ip':

# nft add table ip6 filter
# nft add chain ip6 filter input
# nft add rule ip6 filter input counter accept

Debian ships example configurations in:

#/usr/share/doc/nftables/examples/

Count traffic on destination port tcp/22:

# nft add rule inet filter input tcp dport 22 counter

Count and accept traffic in 80/tcp and 443/tcp in new and establised state:

# nft add rule inet filter input tcp dport {80, 443} ct state new,established counter accept

external resources

Check out the official nftables wiki: http://wiki.nftables.org/


CategorySystemAdministration