LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-20-2020, 02:33 PM   #1
Wolf.Linux
Member
 
Registered: May 2020
Location: USA
Distribution: Debian
Posts: 41

Rep: Reputation: Disabled
Debian 10 - nftables vs iptables


Back again with another newb question.
So again, my main goal was to be able to replicate the things I know how to do on windows since migrating to linux. One of these is setting up a firewall, I know as a beginner I probably shouldn't be so I'm told but I'm moderately paranoid in terms of security. and since this is a latop I'll probably occasionally be using this in various places. From what I read there's two main ways to set up a firewall: iptables and nftables
Both seem rather daunting but I'm willing to learn. It also appears that from my research nftables is to supposed to replace the "ageing iptables", on the other hand I hear people still liking iptables I don't whether they have deemed it better as a veteran *nix user, or out of years of familiarity and are uncomfortable with switching. Now, I know absolutely zero about either. but according to debian documents when googling nftables:

Quote:
Current status

NOTE: Debian Buster uses the nftables framework by default.

Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables.

You can switch back and forth between iptables-nft and iptables-legacy by means of update-alternatives (same applies to arptables and ebtables).

The default starting with Debian Buster:

# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft
Whatever this means.lol
In plain english it seems that debian 10 uses nftables by default??

So my system information:
Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 4.19.0-9-amd64
Architecture: x86-64
Also: Xfce

So my questions is,

Which should I learn to use as a new user?
and where should I begin to learn how to use these?

my goal is to harden my latop as much as possible without going too overboard.

My main issue with a lot of things in linux seems to be peoples inability to make things simple in documentation. There are some that are amazing and simple, and there are some that seem to make my head hurt.
 
Old 06-22-2020, 05:02 AM   #2
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 419

Rep: Reputation: Disabled
nftables is supposedly slowly replacing iptables. The problem I see is that the documentation and tutorials for nftables are not the best, yet. However, if you understand what firewalls do and how so the actual commands are what you need then probably go with nftables. If you are actually trying to learn to program a firewall you probably would be better off with iptables knowing that a year or two down the road you would have to switch. You can google for tutorials and documentation for either and find a tutorial that suits you and that you understand. That is all very personal and needs to fit the way you think. One word of caution: be very, very careful of trying to replicate things you know how to do on Windows. The two systems are totally different and approaching Linux looking for similarities to Windows can get in your way. For example, in windows you need to know what drive something is on. In Linux, as a user, you don't care. In Linux everything is one big file system. This seems to be a stumbling block for Windows users.

All that being said you might try installing UFW, the "Uncomplicated Firewall".
Code:
https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29
It will give you a working firewall to look at as you go through tutorials and even though it is not the simplest, it will demonstrate what the instructions are talking about.
 
1 members found this post helpful.
Old 06-22-2020, 05:33 AM   #3
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,399
Blog Entries: 3

Rep: Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778
Quote:
Originally Posted by Wolf.Linux View Post
Which should I learn to use as a new user?
and where should I begin to learn how to use these?
None of them really do deep packet inspection to ensure that traffic is using a specific protocol. Instead they go only by the port a connection happens to use.

UFW is easy, as long as you don't expect much of it. It soon becomes very complicated if you try to expand your rule set a little. However, it can allow, block, or limit various ports.

I never really liked iptables so I am glad it is going away, just unhappy that it is not going away quickly enough. It has a lot of rough edges and not so good documentation. There are also some unfinished parts (can't remember specifics though) which had me check out nftables and I found that I liked it better. I find it much easier to use, once you read up a little. It does take a little more investment in time up front but then you can go quite far with that. Try these two links for getting started:

https://wiki.nftables.org/wiki-nftab..._in_10_minutes

https://www.linuxsecrets.com/archlin.../Nftables.html

Even though the second link is about Arch, nftables still works in Debian / Devuan.

One advantage I see with nftables is that it works from a configuration file in /etc/nftables.conf

However, all that said, what are your plans for filtering packets? What situation will you be using it in?
 
1 members found this post helpful.
Old 06-27-2020, 07:38 AM   #4
Wolf.Linux
Member
 
Registered: May 2020
Location: USA
Distribution: Debian
Posts: 41

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by agillator View Post
nftables is supposedly slowly replacing iptables. The problem I see is that the documentation and tutorials for nftables are not the best, yet. However, if you understand what firewalls do and how so the actual commands are what you need then probably go with nftables. If you are actually trying to learn to program a firewall you probably would be better off with iptables knowing that a year or two down the road you would have to switch. You can google for tutorials and documentation for either and find a tutorial that suits you and that you understand. That is all very personal and needs to fit the way you think. One word of caution: be very, very careful of trying to replicate things you know how to do on Windows. The two systems are totally different and approaching Linux looking for similarities to Windows can get in your way. For example, in windows you need to know what drive something is on. In Linux, as a user, you don't care. In Linux everything is one big file system. This seems to be a stumbling block for Windows users.

All that being said you might try installing UFW, the "Uncomplicated Firewall".
Code:
https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29
It will give you a working firewall to look at as you go through tutorials and even though it is not the simplest, it will demonstrate what the instructions are talking about.
Sorry I've been at work over the road guys. I appreciate all the info!
I took a look at ufw and such. However I wanted it as minimal of a setup as possible.
So I was just trying to decide between stock standard ip tables and nf tables. both seem nice.

Quote:
Originally Posted by Turbocapitalist View Post
None of them really do deep packet inspection to ensure that traffic is using a specific protocol. Instead they go only by the port a connection happens to use.

UFW is easy, as long as you don't expect much of it. It soon becomes very complicated if you try to expand your rule set a little. However, it can allow, block, or limit various ports.

I never really liked iptables so I am glad it is going away, just unhappy that it is not going away quickly enough. It has a lot of rough edges and not so good documentation. There are also some unfinished parts (can't remember specifics though) which had me check out nftables and I found that I liked it better. I find it much easier to use, once you read up a little. It does take a little more investment in time up front but then you can go quite far with that. Try these two links for getting started:

https://wiki.nftables.org/wiki-nftab..._in_10_minutes

https://www.linuxsecrets.com/archlin.../Nftables.html

Even though the second link is about Arch, nftables still works in Debian / Devuan.

One advantage I see with nftables is that it works from a configuration file in /etc/nftables.conf

However, all that said, what are your plans for filtering packets? What situation will you be using it in?
I see, Well for me it's not for anything too major, I'm kind of privacy / security fascinated and so Just securing my home computers and laptops as much as possible from potential attack, being as I live in an apt and also take my laptop to public coffee shops. Also I do like to use ssh so probably like an SSH tarpit or something.
 
Old 06-27-2020, 07:43 AM   #5
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,399
Blog Entries: 3

Rep: Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778Reputation: 3778
The best thing you can do for SSH is to move to either key- or certificate-based authentication and turn off password authentication. Many of the bots attacking your computer will be able to spot this and will move on immediately. If you leave password authentication on, they will stick around and grind away at the port with a catalog of compromised account-password combinations.
 
Old 06-27-2020, 08:12 AM   #6
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 419

Rep: Reputation: Disabled
If by stock standard iptables you mean the default installed by the system it won't do you much good unless things have changed drastically. What is installed is a 'firewall' that accepts everything in, out, and forwarded, i.e. no firewall. It would probably help you to find a firewall to refer to as you learn, one you can play with. I suggested UFW because, though it looks complicated, it really isn't to hard to follow as you learn. But that is your call, of course.

A book that might help you is "Linux Firewalls", Fourth Edition. It is available on Amazon among other places and addresses both iptables and nftables and the differences.
 
Old 06-27-2020, 10:47 AM   #7
Wolf.Linux
Member
 
Registered: May 2020
Location: USA
Distribution: Debian
Posts: 41

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
The best thing you can do for SSH is to move to either key- or certificate-based authentication and turn off password authentication. Many of the bots attacking your computer will be able to spot this and will move on immediately. If you leave password authentication on, they will stick around and grind away at the port with a catalog of compromised account-password combinations.
Nice ! Ill definitely look into this!

Quote:
Originally Posted by agillator View Post
If by stock standard iptables you mean the default installed by the system it won't do you much good unless things have changed drastically. What is installed is a 'firewall' that accepts everything in, out, and forwarded, i.e. no firewall. It would probably help you to find a firewall to refer to as you learn, one you can play with. I suggested UFW because, though it looks complicated, it really isn't to hard to follow as you learn. But that is your call, of course.

A book that might help you is "Linux Firewalls", Fourth Edition. It is available on Amazon among other places and addresses both iptables and nftables and the differences.
Awesome info also, I'll definitely scoop up that book.
I was following directions of someone who does some linux it and liked the look of this script setup for a good base:

Code:
#!/bin/bash
#
# iptables example configuration script

# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
 
# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
 
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
 
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
 
# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
 
# Flush all chains
/sbin/iptables --flush
 
# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
 
# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
 
# Previously initiated and accepted exchanges bypass rule checking
# Allow unlimited outbound traffic
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
#Ratelimit SSH for attack protection
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
 
# Allow certain ports to be accessible from the outside
/sbin/iptables -A INPUT -p tcp --dport 25565 -m state --state NEW -j ACCEPT  #Minecraft
/sbin/iptables -A INPUT -p tcp --dport 8123 -m state --state NEW -j ACCEPT   #Dynmap plugin

# Other rules for future use if needed.  Uncomment to activate
# /sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT    # http
# /sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT   # https

# UDP packet rule.  This is just a random udp packet rule as an example only
# /sbin/iptables -A INPUT -p udp --dport 5021 -m state --state NEW -j ACCEPT

# Allow pinging of your server
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

  
# Drop all other traffic
/sbin/iptables -A INPUT -j DROP

# print the activated rules to the console when script is completed
/sbin/iptables -nL
 
Old 06-27-2020, 11:49 AM   #8
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 419

Rep: Reputation: Disabled
Without going through your sample line by line - a tutorial or book will enable you to do that, let me point out one pitfall that is explained in 'Linux Firewalls' at least.

In programming a firewall you are going to make mistakes. That is an ironclad guarantee. Be careful that you don't lock yourself out of the firewall computer. If, for example, you set all three policies to DROP and you are working on a remote firewall, let's say you screw up the INPUT chain or delete all the rules in it. Now what do you do? If you have no physical access to the firewall computer you have a problem, a BIG problem. You need to reset everything but can't! Oops! For that reason input policies are not set to DROP during development. Only when you are positive there will be no problem is the policy set to DROP. There is a way to make the firewall reset to a wide open (or any) state periodically to avoid this problem.

Most of the time you really aren't concerned with outbound traffic so most of the firewalls I have seen have an outbound policy of ACCEPT. It is easier to identify something that is a problem and block it than all the things that are not and allow them.

So, most of the firewalls I have seen, assuming physical access, are set with policies INPUT and FORWARD of DROP and OUTPUT of ACCEPT. In fact, a firewall which allows output and only allows input that is in response is a pretty tight firewall to start out with.

Beyond these points I only suggest to proceed under the guidance of a good tutorial or book and be sure you understand what they are telling you to do. It is easy to lock yourself out among other things.
 
Old 06-27-2020, 02:14 PM   #9
Wolf.Linux
Member
 
Registered: May 2020
Location: USA
Distribution: Debian
Posts: 41

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by agillator View Post
Without going through your sample line by line - a tutorial or book will enable you to do that, let me point out one pitfall that is explained in 'Linux Firewalls' at least.

In programming a firewall you are going to make mistakes. That is an ironclad guarantee. Be careful that you don't lock yourself out of the firewall computer. If, for example, you set all three policies to DROP and you are working on a remote firewall, let's say you screw up the INPUT chain or delete all the rules in it. Now what do you do? If you have no physical access to the firewall computer you have a problem, a BIG problem. You need to reset everything but can't! Oops! For that reason input policies are not set to DROP during development. Only when you are positive there will be no problem is the policy set to DROP. There is a way to make the firewall reset to a wide open (or any) state periodically to avoid this problem.

Most of the time you really aren't concerned with outbound traffic so most of the firewalls I have seen have an outbound policy of ACCEPT. It is easier to identify something that is a problem and block it than all the things that are not and allow them.

So, most of the firewalls I have seen, assuming physical access, are set with policies INPUT and FORWARD of DROP and OUTPUT of ACCEPT. In fact, a firewall which allows output and only allows input that is in response is a pretty tight firewall to start out with.

Beyond these points I only suggest to proceed under the guidance of a good tutorial or book and be sure you understand what they are telling you to do. It is easy to lock yourself out among other things.
I understand, I'll definitely check out the book:
which is
Linux Firewalls: Enhancing Security with nftables and Beyond: Enhancing Security with nftables and Beyond (4th Edition) 4th Edition
by Steve Suehring

on amazon if im correct?

says nftables, but does this also cover iptables?
 
Old 06-27-2020, 05:20 PM   #10
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 419

Rep: Reputation: Disabled
Yes, that's the book. If you follow it all the way through you will have developed complete firewalls in both (or either) iptables and nftables. By the way, I'm not pushing the book, I gain nothing from its sale. It is just the one I refer to.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] translation from iptables to nftables kikilinux Linux - Security 3 12-17-2014 02:12 PM
[SOLVED] what is advantage of nftables over iptables packet filter ? kikilinux Linux - Security 1 10-01-2014 03:26 PM
NFTables To Replace iptables In the Linux Kernel jeremy Linux - News 0 10-21-2013 11:02 AM
LXer: NFTables IPTables-Replacement Queued For Linux 3.13 LXer Syndicated Linux News 0 10-20-2013 08:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration