Workshop Getting a Practical Grasp of nftables - Pablo Neira Ayuso

Introduction

This tutorial provides a comprehensive guide to getting started with nftables, a powerful command-line utility for managing network packet filtering and firewall rules in Linux. By following these steps, you'll learn how to install, configure, and utilize nftables effectively, enhancing your understanding of Linux networking.

Step 1: Installation of nftables

To begin using nftables, you need to install it on your Linux system. Follow these steps based on your Linux distribution:

• For Debian/Ubuntu:

  sudo apt update
  sudo apt install nftables
  

• For Fedora:

  sudo dnf install nftables
  

• For Arch Linux:

  sudo pacman -S nftables
  

After installation, ensure that the nftables service is enabled and running:

sudo systemctl enable nftables
sudo systemctl start nftables

Step 2: Basic Configuration of Tables and Chains

Once installed, you can start configuring nftables. Begin with creating a basic table and chain.

• Create a new table:

  sudo nft add table inet my_table
  

• Create a new chain within the table:

  sudo nft add chain inet my_table my_chain { type filter hook input priority 0; }
  

This setup defines a table named my_table with a chain called my_chain that processes incoming packets.

Step 3: Adding Rules to the Chain

Now that you have a chain, you can add rules to filter packets.

• Allow established and related connections:

  sudo nft add rule inet my_table my_chain ct state established,related accept
  

• Drop all other incoming traffic:

  sudo nft add rule inet my_table my_chain drop
  

These rules ensure that only established connections are allowed while all other incoming traffic is dropped.

Step 4: Understanding Error Reporting

When working with nftables, you may encounter errors. Here’s how to effectively handle them:

• Use the nft list ruleset command to view the current ruleset.
• Check for syntax errors or misconfigurations in your rules.
• Adjust or remove problematic rules using nft delete rule.

Step 5: Atomic Ruleset Restoration

Creating backups of your nftables configuration is essential for recovery. To save and restore a ruleset from a file:

• Save the ruleset:

  sudo nft list ruleset > /path/to/backup_file
  

• Restore the ruleset:

  sudo nft -f /path/to/backup_file
  

This process ensures that you can quickly revert to a previous configuration when needed.

Step 6: Scripting with nftables

You can automate nftables configurations using scripts. Here’s a simple example:

1. Create a script file, e.g., nft_setup.sh.

2. Add your configuration commands:

   #!/bin/bash
   nft add table inet my_table
   nft add chain inet my_table my_chain { type filter hook input priority 0; }
   nft add rule inet my_table my_chain ct state established,related accept
   nft add rule inet my_table my_chain drop
   

3. Make the script executable:

   chmod +x nft_setup.sh
   

4. Run the script:

   sudo ./nft_setup.sh
   

Step 7: Monitoring Events

To monitor network events, you can use the nft monitor command:

• Start monitoring:

  sudo nft monitor
  

This command provides real-time updates on nftables events, allowing you to observe changes and packet filtering in action.

Step 8: Using the Interactive Shell

For a more hands-on approach, you can utilize the interactive shell:

• Start the interactive shell:

  sudo nft
  

• Use it to enter commands directly, making it easier to test and modify rules on the fly.

Conclusion

By following these steps, you should have a solid foundation in using nftables for managing your Linux networking. Remember to regularly back up your configurations and monitor your ruleset for any changes. Explore further by experimenting with additional features like logging and advanced rule sets to enhance your skills.