nftables
December 11, 2019 — 14:32

Author: silver  Category: linux network  Comments: Off

nftables (nft) replaces iptables:

  • Debian (10 buster) links ‘iptables’ to ‘iptables-nft’ and ‘iptables-legacy’ is actually ‘iptables’
  • RH uses nft as as preferred firewall since RHEL8 and firewalld uses nft as backend

If you haven’t switched yet you might want to ‘translate’ your current iptables rules and make other programs use nft.

config

rules are located in:

  • Debian /etc/nftables.conf
  • RedHat /etc/sysconfig/nftables.conf

list

nft list ruleset

nft list chain ip filter INPUT

nft list tables nft list table ip filter

flush

nft flush ruleset

translate

iptables-restore-translate -f /etc/iptables/rules.v4 > /etc/iptables/ruleset.nft

ip6tables-restore-translate -f /etc/iptables/rules.v6 > /etc/iptables/ruleset6.nft

netfilter-persistent

Oddly enough the only place I could find a nft plugin was here

curl https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/usr.share.netfilter-persistent.plugins.d.15-nft -o /usr/share/netfilter-persistent/plugins.d/15-nft

fail2ban

Make f2b use nft. From https://wiki.meurisse.org/wiki/Fail2Ban:

  • edit ‘/etc/fail2ban/jail.local.conf’: banaction = nftables-multiport

  • add to ‘/etc/nftables.conf’: include "/etc/fail2ban.conf"

  • create ‘/etc/fail2ban.conf’:

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
        chain input {
                # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
                type filter hook input priority 100;
        }
}








We use Matomo free and open source web analytics (opt-out)