nftables Basics
1. Introduction
nftables is a framework for packet filtering and classification in the Linux kernel, designed to replace iptables, ip6tables, arptables, and ebtables. It provides a single interface for managing packet filtering rules across different protocols.
2. Key Concepts
2.1. Tables
Tables are the main container for rules. Each table is associated with a specific family (e.g., inet, ip, ip6).
2.2. Chains
Chains are lists of rules. They define the flow of packets and can be of different types (input, output, forward).
2.3. Rules
Rules are the conditions that packets must meet to trigger specific actions (ACCEPT, DROP, etc.)
3. Installation
To install nftables on a Debian-based system, use the following command:
sudo apt install nftablesFor RHEL-based systems, use:
sudo dnf install nftablesAfter installation, enable and start the service:
sudo systemctl enable nftables
sudo systemctl start nftables4. Basic Usage
To interact with nftables, use the nft command. Below are the basic commands:
4.1. Creating a Table
nft add table inet filter4.2. Creating a Chain
nft add chain inet filter input { type filter hook input priority 0; }4.3. Adding a Rule
nft add rule inet filter input ip saddr 192.168.1.0/24 accept4.4. Listing Rules
nft list ruleset5. Examples
5.1. Simple Firewall
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0; }
nft add rule inet filter input ip saddr 192.168.1.0/24 accept
nft add rule inet filter input drop5.2. Allow SSH
nft add rule inet filter input tcp dport 22 accept6. Best Practices
- Regularly review and update your firewall rules.
- Use logging to monitor suspicious activity.
- Always test new rules in a safe environment before deploying.
7. FAQ
What is the default policy in nftables?
The default policy is to accept all packets unless specified otherwise in the rules.
How can I remove a rule?
You can remove a rule by specifying its unique identifier. Example: nft delete rule inet filter input handle 3.