nftables series - part 1 - baby steps
Nftables introduction
I assume a kernel >=3.18 and nft >= 0.4.
I decided to try out nftables, the would-be iptables successor on my home router/server PC.
As a basic guide I used this guide and the pretty good basic documentation on wiki.nftables.org.
Nft comes with a completely empty ruleset. Meaning no predefined tables, chains or rules.
You as a user create tables, populate those with chains (which hook into kernel netfilter hooks) and populate those with rules.
All this is done using the nft command. Lets create a table with one chain and one rule that drops everything :
command decomposition :
- "ip filter" : ip determines the address family {arp,bridge,ip,ip6,inet}. filter is the name of the table
- "input" the name of the chain.
- "type filter" : the type of the chain, one of {filter,routing,nat}
- "hook input" : when to perform the chain. (netfilter hooks, good description on nftables wiki)
This is what the firewall looks like now :
To delete the rule, we use the handle id (printed when -a option is used)
The handle can also be used as a reference to insert rules in a specific place (insert add before, add adds after):
There we have it, a basic working stateful firewall.
Finally, lets save the configuration :
This writes the current ruleset to the rules.cfg file, which can later be reloaded with
In order to assure an empty ruleset, I prepend the rules.cfg file with flush ruleset. I end up with a configuration file looking like :
Basic configuration done.
I assume a kernel >=3.18 and nft >= 0.4.
I decided to try out nftables, the would-be iptables successor on my home router/server PC.
As a basic guide I used this guide and the pretty good basic documentation on wiki.nftables.org.
Nft comes with a completely empty ruleset. Meaning no predefined tables, chains or rules.
You as a user create tables, populate those with chains (which hook into kernel netfilter hooks) and populate those with rules.
All this is done using the nft command. Lets create a table with one chain and one rule that drops everything :
Code:
#nft add table ip filter
#nft add chain ip filter input {type filter hook input priority 0\;}
#nft add rule ip filter input drop
- "ip filter" : ip determines the address family {arp,bridge,ip,ip6,inet}. filter is the name of the table
- "input" the name of the chain.
- "type filter" : the type of the chain, one of {filter,routing,nat}
- "hook input" : when to perform the chain. (netfilter hooks, good description on nftables wiki)
This is what the firewall looks like now :
Code:
#nft list ruleset -a
table filter {
chain input {
type filter hook input priority 0;
drop # handle 1
}
}
Code:
#nft delete rule ip filter input handle 1
Code:
#nft insert rule ip filter input position 1 ct state related,established accept
Finally, lets save the configuration :
Code:
#nfl list ruleset > rules.cfg
Code:
#nft -f rules.cfg
Code:
flush ruleset
table filter {
chain input {
type filter hook input priority 0;
ct state related,established accept
drop
}
}
Total Comments 0
