Difference between revisions of "Nft"
| Line 105: | Line 105: | ||
Which is better? | Which is better? | ||
| − | Nft has a higher learning curve, but seems to have more flexibility. It's a bit difficult to remember writing commands from the shell, so it favors scripting. I would imagine nft is geared towards power users. iptables remains a much easier introduction to firewall scripting, but having to write ip6tables and iptables scripts is a bit worse. I will have to wait until I understand both to make a judgement | + | Nft has a higher learning curve, but seems to have more flexibility. It's a bit difficult to remember writing commands from the shell, so it favors scripting. I would imagine nft is geared towards power users. iptables remains a much easier introduction to firewall scripting, but having to write ip6tables and iptables scripts is a bit worse. I will have to wait until I understand both to make a judgement. |
Revision as of 19:43, 9 May 2023
Nft is the successor to iptables.
There is only one book on the market I could find (08/2022) that currently deals with Nft, and that is Linux Firewalls by Steve Suehring (this page references the 4th edition).
Usage
First, you should know there is the handy tool
iptables-translate
which can convert an iptables rule to nft. Used like so:
iptables-translate -I INPUT -p tcp --dport 22 -j DROP
and it will give the nft equivalent.
Second, you should know that in order to block ipv4 and ipv6, you should use: inet. Some rules, will have nft insert rule ip bla bla bla or nft insert rule ip6 bla bla bla. If you use inet instead of ip or ip6 it will cover both protocols. (Page 84). Any example rule online that only uses ip is incorrect.
Third:
-I is nft insert -A is nft add
Terrible... Add should be append. As with iptables, the order in which you execute the rules is important.
Fourth: you have to make your own tables, AND chains because f&*$ you that's why. What a mess.
Create tables/chains
Just copied and pasted from debian wiki. There are example tables in devuan in /usr/share/doc/nftables, but it's about as simple as Owrt's firewall (which is not simple at all) so good luck.
There is also the option to type your rules in /etc/nftables.conf. But I'm old fashioned and prefer to use cmd line rules.
Create a basic IPv4/IPv6 dual-stack table: Create a chain for input IPv4/IPv6 dual-stack traffic: A rule to check that all is fine (IPv4/IPv6 dual-stack):
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; }
nft add rule inet filter input counter accept
Show all the previous:
nft list table inet filter
Gonna take a bit to memorize this.
Allow/Block a single port
Block the wan from accessing port 80:
nft insert rule inet filter INPUT tcp dport 80 counter reject
Allow the lan to access port 80:
nft insert rule inet filter INPUT ip saddr 192.168.1.0/24 tcp dport 80 counter accept
Delete all rules
iptables -F vs nft flush ruleset
fail. Should be just nft -F.
List rules
nft list table inet filter vs iptables -L
Fail. (this assumes you used my instructions for a ipv4/ipv6 table [inet] named filter.)
The rule listing of nft is easy to read, and includes stats without the need for iptables -v -L. +1
Templates
After reading all the above nonsense, you just want something to copy and paste, here it is:
nft flush ruleset
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; }
nft add rule inet filter input counter accept
nft insert rule inet filter input tcp dport 80 counter reject
nft insert rule inet filter input ip saddr 192.168.1.0/24 tcp dport 80 counter accept
The bare minimum to block/allow a port. Compared to:
iptables -F iptables -I INPUT -p tcp --dport 80 -j REJECT iptables -I INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
(gotcha: In this example adapted from Linux Firewalls by Suehring, the table happens to have the same name as the type of the chain, they: are both filter. Don't be confused, as the table could've been named any arbitrary name, yet the chain is a 'type' of filter. There are three chain types according to the book: filter, route, and nat. Note also there must be a single space after the 0 for priority followed by the backslash and semi-colon.)
iptables vs nft: which is easier for the sysadmin?
I'm still undecided which is better. One thing to remember with nft is that the rules will start identical most of the time.
So a rule that is:
nft insert rule inet filter INPUT tcp dport 80 counter reject
Always has
nft insert rule inet
Which means you have to remember that part, cut it out, then focus on the rest of the rule. So all that matters is:
filter INPUT tcp dport 80 counter reject vs: -I INPUT -p tcp --dport 80 -J REJECT
Which is better?
Nft has a higher learning curve, but seems to have more flexibility. It's a bit difficult to remember writing commands from the shell, so it favors scripting. I would imagine nft is geared towards power users. iptables remains a much easier introduction to firewall scripting, but having to write ip6tables and iptables scripts is a bit worse. I will have to wait until I understand both to make a judgement.
