In the world of Linux, firewalls play a crucial role in protecting systems from potential threats. While the traditional iptables has served well over the years, nftables is the new standard for packet filtering and firewall management in Linux. It’s designed to simplify the process of creating and managing firewall rules, offering enhanced performance and usability. In this guide, we’ll walk you through the process of mastering nftables and setting up a robust firewall for your Linux server.

What is Nftables?

nftables is the successor to iptables, providing a single framework to handle both IPv4 and IPv6 packets as well as ARP. It introduces a new command-line interface and uses a more efficient data structure that results in better performance and easier management. Additionally, it allows you to create complex rule sets in a more straightforward way compared to its predecessors.

Why Use Nftables?

  1. Simplicity: nftables reduces the complexity of managing rules.

  2. Efficiency: It leverages an optimized data structure for performance.

  3. Unified Syntax: Offers a unified syntax for IPv4, IPv6, and ARP.

  4. Stateful Filtering: Supports stateful packet inspection with ease.

Prerequisites

Before we proceed with the setup, ensure you have:

  • A Linux server running a supported distribution (e.g., Ubuntu, Fedora, CentOS).

  • Root or sudo privileges on the server.

Step 1: Installing Nftables

On most modern Linux distributions, nftables comes pre-installed. However, if it’s not installed, you can easily set it up using your package manager.

For Debian/Ubuntu:

sudo apt update

sudo apt install nftables

For Fedora:

sudo dnf install nftables

For CentOS/RHEL:

sudo yum install nftables

Once installed, enable and start the nftables service:

sudo systemctl enable nftables

sudo systemctl start nftables

Step 2: Understanding Nftables Configuration

Nftables rules are organized into tables, chains, and rules. Here’s a brief overview:

  • Table: A container for chains; can contain multiple chains.

  • Chain: A list of rules; processes packets when they match certain conditions.

  • Rule: Defines conditions and actions to take (like accept, drop, etc.).

The commands to manage nftables follow this structure.

Step 3: Creating Your First Nftables Ruleset

Let’s create a basic ruleset to control incoming and outgoing traffic.

  1. Create a New Ruleset File:

    Start by creating a new file, e.g., /etc/nftables.conf.

    sudo nano /etc/nftables.conf

  2. Define the Ruleset:

    Here’s a simple configuration to allow established connections and block everything else:

    #!/usr/sbin/nft -f
    

    
table inet filter {
    
   chain input {
    
       type filter hook input priority 0; policy drop;
    
       iif "lo" accept           # Allow loopback traffic
    
       ct state established,related accept  # Allow established traffic
    
       ip saddr 192.168.1.0/24 accept  # Allow local network
    
       tcp dport ssh accept    # Allow SSH
    
       tcp dport http accept    # Allow HTTP
    
       tcp dport https accept    # Allow HTTPS
    
   }
    

    
   chain output {
    
       type filter hook output priority 0; policy accept; # Allow all outgoing traffic
    
   }
    
}

  3. Load the Ruleset:

    To make these rules active, load the ruleset using:

    sudo nft -f /etc/nftables.conf

  4. Verify Your Rules:

    Check that your rules have been applied successfully:

    sudo nft list ruleset

Step 4: Saving Nftables Rules

To ensure your rules persist after a reboot, make sure nftables loads your ruleset on startup. Edit the default config file:

For most distributions:

sudo nano /etc/nftables.conf

Ensure it contains the rules you’ve defined.

Also, enable the nftables service to start on boot:

sudo systemctl enable nftables

Step 5: Managing Nftables Rules

Adding New Rules

To append an additional rule, you can use the command directly:

sudo nft add rule inet filter input tcp dport 22 accept

Deleting Rules

To remove a rule, identify it with its handle, then delete it:

sudo nft delete rule inet filter input handle <handle_number>

Flushing Rules

To clear all rules, you can flush a chain or an entire table:

sudo nft flush chain inet filter input

Step 6: Logging and Monitoring

Monitoring your firewall activity is essential. You can set up logging of dropped packets with a rule like:

log prefix "Dropped: " flags all level info

This will log events to syslog, allowing you to monitor traffic efficiently.

Conclusion

Congratulations! You’ve now set up a basic firewall using nftables. This powerful tool not only enhances your security posture but also provides a streamlined approach to network traffic management. As you become more familiar with nftables, you can explore advanced features like NAT, rate limiting, and more complex rule sets to further tailor your firewall configuration to your specific requirements.

For continuous learning, refer to the official nftables documentation and experiment with different configurations. Secure your Linux server, and embrace the power of nftables! Happy filtering!