Nftables Part 1: Difference between revisions

From BitFolk
Jump to navigation Jump to search
(Created page with "=Installing Nftables= ==Introduction== Iptables (and its sister ip6tables as) or programs based upon it has for many years been the standard firewall product for Linux machi...")
 
Line 1: Line 1:
=Installing Nftables=


==Introduction==
Iptables (and its sister ip6tables as) or programs based upon it has for many years been the standard firewall product for Linux machines. Its reign is coming to an end. Debian has announced that the next incarnation of its OS (Debian 10) will see its replacement by nftables. Current kernels already have the nftables engine powering their firewalls with iptables and firewalld rulesets running on this.  Nftables offers many new features, incuding simpler syntax, integration of all the old xtables family into one unified package. It has reached a stage of development and maturity that now is the time to make the move
Having replaced iptables I have produced the guide below as an aid to those considering it. This is based on my experience with Debian 9 and kernel 4.9.0-8-amd64 other distributions will vary slightly especially in methods of  installation. The other thing to note is that nft the front end requires root (or sudo su)
==Getting and installing==
The stretch repository contains nftables but a more recent version is available from stretch-backports, and as there has been a lot of recent development, this is the one to go for. If the backports repository is not in your sources.list then it will need to be added before you can install
~# echo "deb http://ftp.debian.org/debian stretch-backports main" >> /etc/apt/sources.list
~# apt-get update
~# apt-get -t stretch-backports install nftables
This will install all that is necessary. It sets up a new service nftables.service which is disabled on installation. That allows you to set up rules etc and clear iptables before you start.(It is not recommended to run both at the same time) On starting or restarting the service loads a minimalist ruleset, so we need to build our rules before running it.
The basic structure is the same as iptables – tables hold chains which are, in turn, containers for rules. The major difference is that iptables has tables predefined but nft has none.  /etc/nftables.conf sets up a basic table and 3 empty chains which we will need to edit
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
        chain input {
                type filter hook input priority 0;
        }
        chain forward {
                type filter hook forward priority 0;
        }
        chain output {
                type filter hook output priority 0;
        }
}

Revision as of 00:10, 24 November 2018

Retrieved from "https://tools.bitfolk.com/w/index.php?title=Nftables_Part_1&oldid=1413"