Differences between revisions 40 and 51 (spanning 11 versions)
Revision 40 as of 2019-10-14 16:53:05
Size: 5248
Comment: The docker claim is bogus, and has nothing to do with nftables anyway. I would add that message to a docker wiki page rather than here.
Revision 51 as of 2023-02-15 13:07:18
Size: 6493
Comment: refresh current status section
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#language en

~-[[DebianWiki/EditorGuide#translation|Translation(s)]]:
English - [[it/nftables|Italiano]] - [[ru/nftables|Русский]] -~

----
Line 3: Line 10:
Two of the most common uses of nftables is to provide firewall support and NAT. Two of the most common uses of nftables is to provide firewall support and Network Address Translation (NAT).
Line 5: Line 12:
nftables replaces the [[iptables|iptables]] framework. nftables is the default and recommended firewalling framework in Debian, and it replaces the old [[iptables|iptables]] (and related) tools.
Line 11: Line 18:
'''NOTE: Debian Buster uses the nftables framework by default'''. '''nftables is the default framework in use in Debian''' (since Debian 10 Buster)
Line 13: Line 20:
Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem).
This also affects ip6tables, arptables and ebtables.
This means:
 * the '''nft''' command line interface should be available.
 * the iptables utility may not be installed in a system by default.
 * if installed, the iptables utility will use by default the nf_tables backend by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem).
 * this also affects ip6tables, arptables and ebtables

= Hints =

Some hints folks might find interesting in some situations.

== Use firewalld ==

You should consider using a wrapper instead of writing your own firewalling scripts. It is recommended to run [[firewalld]], which integrates pretty well into the system. See also https://firewalld.org/

The firewalld software takes control of all the firewalling setup in your system, so you don't have to know all the details of what is happening in the underground.
There are many other system components that can integrate with firewalld, like NetworkManager, libvirt, podman, fail2ban, docker, etc.

== Reverting to legacy xtables ==
Line 18: Line 41:
The default starting with Debian Buster: The default starting with Debian 10 Buster:
Line 34: Line 57:
= nftables in Debian the easy way = == nftables in Debian the easy way ==
Line 62: Line 85:

Line 107: Line 132:
Create a basic IPv4 table: Create a basic IPv4/IPv6 dual-stack table:
Line 112: Line 137:
Create a chain for input traffic IPv4: Create a chain for input IPv4/IPv6 dual-stack traffic:
Line 117: Line 142:
A rule to check that all is fine (IPv4): A rule to check that all is fine (IPv4/IPv6 dual-stack):
Line 142: Line 167:
The family parameter is optional. The default is 'ip': The family parameter is optional. The default is 'ip'. Other families are 'inet', 'ip6', 'arp', 'bridge' or 'netdev':
Line 154: Line 179:
Count traffic on destination port tcp/22: Count traffic on destination port tcp/22 (IPv4/IPv6 dual-stack):
Line 159: Line 184:
Count and accept traffic in 80/tcp and 443/tcp in new and establised state: Count and accept traffic in 80/tcp and 443/tcp in new and established state (IPv4/IPv6 dual-stack):

Translation(s): English - Italiano - Русский


nftables is a framework by the Netfilter Project that provides packet filtering, network address translation (NAT) and other packet mangling.

Two of the most common uses of nftables is to provide firewall support and Network Address Translation (NAT).

nftables is the default and recommended firewalling framework in Debian, and it replaces the old iptables (and related) tools.

Current status

nftables is the default framework in use in Debian (since Debian 10 Buster)

This means:

  • the nft command line interface should be available.

  • the iptables utility may not be installed in a system by default.
  • if installed, the iptables utility will use by default the nf_tables backend by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem).
  • this also affects ip6tables, arptables and ebtables

Hints

Some hints folks might find interesting in some situations.

Use firewalld

You should consider using a wrapper instead of writing your own firewalling scripts. It is recommended to run ?firewalld, which integrates pretty well into the system. See also https://firewalld.org/

The firewalld software takes control of all the firewalling setup in your system, so you don't have to know all the details of what is happening in the underground. There are many other system components that can integrate with firewalld, like NetworkManager, libvirt, podman, fail2ban, docker, etc.

Reverting to legacy xtables

You can switch back and forth between iptables-nft and iptables-legacy by means of update-alternatives (same applies to arptables and ebtables).

The default starting with Debian 10 Buster:

# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft

Switching to the legacy version:

# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
# update-alternatives --set arptables /usr/sbin/arptables-legacy
# update-alternatives --set ebtables /usr/sbin/ebtables-legacy

nftables in Debian the easy way

If you want to enable a default firewall in Debian, follow these steps:

# aptitude install nftables
# systemctl enable nftables.service

This way, nftables is active at boot. By default, rules are located in /etc/nftables.conf.

To stop nftables from doing anything, just drop all the rules:

# nft flush ruleset

To prevent nftables from starting at boot:

# systemctl mask nftables.service

To uninstall it and purge any traces of nftables in your system:

# aptitude purge nftables

FAQ

What is nftables?

Is the new framework by the Netfilter Project, allowing you to perform packet filtering (firewalling), NAT, mangling and packet classification.

Should I build a firewall using a nftables?

Yes. Building new firewalls on top of iptables is discouraged.

Should I replace an iptables firewall with a nftables one?

Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.

Please read: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

Why a new framework?

The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..

What are the major differences?

In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.

Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.

nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.

In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.

This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.

Should I mix nftables and iptables/ebtables/arptables rulesets?

No, unless you know what you are doing.

I knew the iptables syntax. Is there a new syntax in nftables?

Yes, but the nftables one is better :-)

Help in migrating to nftables: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

new syntax

Create a basic IPv4/IPv6 dual-stack table:

# nft add table inet filter

Create a chain for input IPv4/IPv6 dual-stack traffic:

# nft add chain inet filter input { type filter hook input priority 0\; }

A rule to check that all is fine (IPv4/IPv6 dual-stack):

# nft add rule inet filter input counter accept

Show all the previous:

# nft list table inet filter

Flush rules in chain filter/input:

# nft flush chain inet filter input

Delete the chain filter/input:

# nft delete chain inet filter input

Delete the table filter:

# nft delete table inet filter

The family parameter is optional. The default is 'ip'. Other families are 'inet', 'ip6', 'arp', 'bridge' or 'netdev':

# nft add table ip6 filter
# nft add chain ip6 filter input
# nft add rule ip6 filter input counter accept

Debian ships example configurations in:

#/usr/share/doc/nftables/examples/

Count traffic on destination port tcp/22 (IPv4/IPv6 dual-stack):

# nft add rule inet filter input tcp dport 22 counter

Count and accept traffic in 80/tcp and 443/tcp in new and established state (IPv4/IPv6 dual-stack):

# nft add rule inet filter input tcp dport {80, 443} ct state new,established counter accept

external resources

Check out the official nftables wiki: http://wiki.nftables.org/


CategorySystemAdministration