OS: Debian 11 (bullseye)
nftables version: 0.9.8 (E.D.S.)
For those of you that are familiar with iptables by Netfilter. You might be interested to learn nftables which is available in linux kernels >= 3.13. The good news is it comes with a compatible layer that allows you to run iptables commands over the new nftables kernel framework.
The key advantage I feel is the generic set infrastructure that allows you to construct maps and concatenations. You can use these new structures to arrange your ruleset in a multidimensional tree which drastically reduces the number of rules that need to be inspected until reaching the final action on a packet. This is especially good if you have a lot of custom rules and services that you are trying to protect on your server.
The key draw back is if you only have a few rules that you are maintaining then the scripting kind of configuration might not be as easy as ufw or iptables.
You can read more about nftables in the official netfilter.org websites. So let’s get started to see how we configure nftables in Debian.
There are many way to check the Debian version. E.g. lsb_release -a.
By default nftables is not included in Debian. I will show you how to install and complete the basic setup to start protecting your linux server in the cloud.
You can run the following command to check if there are any active nftables kernel modules. You should see nftables_net, nf_tables_ip and etc if there are active nftables kernel module active if not do not worry we will be installing it.
sudo lsmod | grep nf_tables
You might also want to check if iptables is running currently by issuing the following command. If iptables services is not installed you will see the following message.
sudo systemctl status iptables
To check if you have any other firewall services running you can run the following command and look for any command firewalls such as firewall, iptables, ufw and etc. There shouldn’t be a lot of services running if it is a fresh installed and you can quickly eyeball the services that you have installed and their status.
sudo systemctl | grep service
To install nftables you need to just issue the following command. Once it is installed you can check the status and you should see that nftables is loaded but not installed.
sudo apt install nftables
In a lot of tutorial they would give you the steps to start and enable your nftables, but do take note if you are managing your cloud instance through ssh you might want to make sure you have configured to allowed access for your management port in most cases SSH (port 22) before turning on the firewall to avoid accidentally locking yourself out.
First let’s take a look at the default config usually stored at /etc/nftables.conf.
Do note that if you have not started the nftables service you will not be able to use the nft list ruleset commands. By default the configuration file does not block any traffic but it is always good to just check and confirm.
To add the rules into nftables it is easier to edit the /etc/nftables.conf file directly. Unless you want to test the rules before committing it into the configuration file.
You can use any editor to do it. e.g sudo nano /etc/nftables.conf
Here are a few basic rules to get you started. # are the comments to help make your scripting readable.
#allow connection from loopback
iifname lo accept;
# established/related connections
ct state established, related accept;
# drop invalid connections
ct state invalid drop;
#Allow ssh connection on port 22
tcp dport 22 accept;
#Drop all other incoming connection
policy drop;
sudo systemctl start nftables.service
To enable nftables whenever the system reboots issue the following command.
sudo systemctl enable nftables.service
This is basic configuration to have a OS filter/firewall to protect your server online.
Quick config to turn on logging
# Pick one that suits your needs best
counter comment “total unfiltered input packets”
log # simple detail goes into the log
log flags all # extra details go into the log
log flags all prefix “GOTCHA!: ” # parseable keyword
log flags all counter # redundant but example
Sample /etc/nftables.conf
#!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; #allow connection from loopback iifname lo accept; # established/related connections ct state established, related accept; # drop invalid connections ct state invalid drop; #Allow ssh connection on port 22 tcp dport 22 accept; log flags all #Drop all other incoming connection policy drop; } chain forward { type filter hook forward priority 0; } chain output { type filter hook output priority 0; } } |
This should get you started and you can add on the rest of the rules for your environment.