Introducing nftables: learning to work with examples

nftables is a successor of iptables. nftables is a firewall management framework that supports packet filtering, Network Address Translation (NAT), and various packet shaping operations. nftables offers notable improvements in terms of features, convenience, and performance over previous packet filtering tools, such as the following:


Table of contents[Show]


  • Lookup tables instead of linear processing of rules.
  • Rules are applied individually instead of them processing a complete ruleset.
  • A unified framework for the IPv4 and IPv6 protocols.
  • No protocol-specific extensions.

The functional principles behind nftables generally follow the design patterns presented in earlier sections about the firewall networking chains; that is, netfilter and iptables. Just like iptables, nftables uses tables to store chains. Each chain contains a set of rules for packet filtering actions.

nftables is the default packet filtering framework in Debian and RHEL/CentOS 8 Linux distributions, replacing the old iptables (and related) tools. The command-line interface for manipulating the nftables configuration is nft. Yet, some users prefer to use a more user-friendly frontend instead, such as firewalld. (firewalld recently added backend support for nftables.) RHEL/CentOS 8, for example, uses firewalld as its default firewall management solution.

In this blog, we'll show a few examples of how to use nftables and the related command-line utilities to perform simple firewall configuration tasks. For this purpose, we'll take an RHEL/CentOS 8 distribution where we'll disable firewalld. Let's have a quick look at the preparatory steps required to run the examples in this article.

Prerequisites for our examples

If you have an RHEL/CentOS 7 system, nftables is not installed by default. You can install it with the following command:

sudo yum install -y nftables

The examples in this blog use an RHEL/CentOS 8 distribution. To directly configure nftables, we need to disable firewalld and potentially iptables (if you ran the examples in the related section). The steps for disabling firewalld were shown at the beginning of the Configuring iptables section.

Also, if you have iptables enabled, you need to stop and disable the related service with the following commands:

sudo systemctl stop iptables
sudo systemctl disable iptables

Next, we need to enable and start nftables:

sudo systemctl enable nftables
sudo systemctl start nftables

We can check the status of nftables with the following command:

sudo systemctl status nftables

A running status of nftables should show active:

Checking the status of nftables 

 Figure 1 – Checking the status of nftables

At this point, we are ready to configure nftables. Let's work with a few examples.

Working with nftables

ntftables loads its configuration from /etc/sysconfig/nftables.conf. We can display the content of the configuration file with the following command:

sudo cat /etc/sysconfig/nftables.conf

A default nftables configuration has no active entries in nftables.conf, except for a few comments:

The default nftables configuration file

Figure 2 – The default nftables configuration file

As the comments suggest, to change the nftables configuration, we have a few options:

  • Directly edit the nftables.conf file.
  • Manually edit the /etc/nftables/main.nft configuration file, then uncomment the related line in nftables.conf.
  • Use the nft command-line utility to edit the rules and then dump the current configuration into nftables.conf.

Regardless of the approach taken, we need to reload the updated configuration by restarting the nftables service. In this section, we'll use nft command-line examples to change the nftables configuration. Power users usually write nft configuration scripts, but it's best to learn the basic steps first.

The following command displays all the rules in the current configuration:

sudo nft list ruleset

Your system may already have some default rules set up. You may choose to do a backup of the related configuration (for example, /etc/sysconfig/nftables.conf and /etc/nftables/main.nft) before proceeding with the next steps.

The following command will flush any preexisting rules:

sudo nft flush ruleset

At this point, we have an empty configuration. Let's design a simple firewall that accepts SSH, HTTP, and HTTPS traffic, blocking anything else.

Accepting SSH, HTTP, and HTTPS traffic

First, we need to create a table and a chain. The following command creates a table named packt_table:

sudo nft add table inet packt_table

Next, we'll create a chain called packt_chain within packt_table:

sudo nft add chain inet packt_table packt_chain { type filter hook input priority 0 \; }

Now, we can start adding rules to packt_chain. Allow SSH, HTTP, and HTTPS access:

sudo nft add rule inet packt_table packt_chain tcp dport {ssh, http, https} accept

Let's also enable ICMP (ping):

sudo nft add rule inet packt_table packt_chain ip protocol icmp accept

Finally, we will reject everything else:

sudo nft add rule inet packt_table packt_chain reject with icmp type port-unreachable

Now, let's have a look at our new configuration:

sudo nft list ruleset

The output is as follows:

 A simple firewall configuration with nftables

Figure 3 – A simple firewall configuration with nftables

The output suggests the following settings for our input chain (packt_chain):

  • Allow TCP traffic on destination ports 22, 80, and 443 (tcp dport { 22, 80, 443 } accept).
  • Allow ping requests (ip protocol icmp accept).
  • Reject everything else (meta nfproto ipv4 reject).

Next, we will save the current configuration to /etc/nftables/packt.nft:

sudo nft list ruleset | sudo tee /etc/nftables/packt.nft

Finally, we will point the current nftables configuration to /etc/nftables/packt.nft in the /etc/sysconfig/nftables.conf file by adding the following line:

include "/etc/nftables/packt.nft"

We will use nano (or your editor of choice) to make this change:

sudo nano /etc/sysconfig/nftables.conf

The new nftables.conf now contains the reference to our packt.nft configuration:

 Including the new configuration in nftables

Figure 4 – Including the new configuration in nftables

The following command reloads the new nftables configuration:

sudo systemctl restart nftables

After this exercise, you can quickly write a script for configuring nftables using the output of the nft list ruleset command. As a matter of fact, we just did that with the /etc/nftables/packt.nft configuration file.

With that, we will conclude our examination of packet filtering frameworks and the related command-line utilities. They enable power users to have granular control over every functional aspect of the underlying network chains and rules. Yet, some Linux administrators may find the use of such tools overwhelming and turn to relatively simpler firewall management utilities instead.

nftables live demo

Firewalls with NFtables

Next, we'll look at a couple of native Linux firewall management tools that provide a more streamlined and user-friendly command-line interface for configuring and managing firewalls.

Вас заинтересует / Intresting for you:

Working with SELinux: basics i...
Working with SELinux: basics i... 1335 views Zero Cool Sat, 17 Jul 2021, 11:19:54
Introducing AppArmor: How to w...
Introducing AppArmor: How to w... 3561 views Zero Cool Tue, 27 Jul 2021, 05:06:49
Understanding SELinux modes: d...
Understanding SELinux modes: d... 1240 views Zero Cool Sat, 17 Jul 2021, 07:11:59
Understanding SELinux contexts...
Understanding SELinux contexts... 4774 views Zero Cool Tue, 10 Aug 2021, 18:06:33
Comments (0)
There are no comments posted here yet
Leave your comments
Posting as Guest
×
Suggested Locations