Exploring the new nftables firewall tool – a successor to iptables
Traffic Rules
The nftables firewall utility offers a simpler and more consistent approach for managing firewalls in Linux.
If you are training to become a network administrator, or even if you just want to get better at Linux, you cannot avoid dealing with the topic of firewalls, including the rules for filtering packets on the network.
The iptables firewall tool [1] is slightly long in the tooth, and the program code in particular has become more and more complex. Small changes in the project core affected all the tools associated with the project. Iptables, ip6tables, ebtables, and arptables all originate from the same codebase – not in the form of modules, but by code duplication. Accordingly, the four tools drifted apart over time. Iptables was best maintained, and ebtables was neglected. Bugs patched in iptables still existed in Ebtables years later.
The problems with maintaining the iptables code base prompted the development of a successor called nftables [2] back in 2009 by the netfilter project [3]. The first two letters of nftables are derived from the project; nftables simply means "netfilter tables." The stated development goals include higher data throughput, greater scalability with a view to changing requirements, and, in particular, a modular structure that is easier to maintain. Since Linux 3.13 (January 2014), nftables has existed directly in the kernel [4]. The nftables firewall tool uses internal, proven components of the netfilter project.
As of the release of Debian 10 "Buster," which is planned for summer 2019, Debian will completely rely on nftables [5], which will also affect derivatives like Ubuntu and Linux Mint. Red Hat-based distros are also moving to more reliance on nftables. The current releases of most Linux distributions already contain nftables – not enabled, but ready for use.
Extensions and Conversions
You can create rules for firewalls with the command-line tools iptables
(IPv4), ip6tables
(IPv6), arptables
(ARP packets), and ebtables
(Ethernet frames). Nftables replaces all four with a single command-line tool named nft
, which now sets all the rules for accepting, forwarding, modifying, or rejecting packets from the network on the system.
Iptables uses different filters and three processing chains named INPUT
, FORWARD
, and OUTPUT
to handle packets. The nftables framework does not have any similar built-in chains – you'll have to define the chains yourself.
Nft uses two libraries: libmnl, a minimalist Netlink library [6], and libnfnetlink, a Netlink library in userspace [7]. As a result, the size of the code in the Linux kernel is smaller, and small changes to nft
do not mean that you need to customize the kernel [8].
To make sure that the appropriate kernel module is loaded in your system kernel, work with the output from the modinfo
(Figure 1) and lsmod
(Figure 2) commands. The feedback in the examples shown is positive and lets you get started with nft
directly.
Basic Configuration
Nftables starts with a completely empty ruleset; there are no predefined tables, chains, or rules. As the user (or admin), you first create the tables, add chains that latch into the Linux kernel as netfilter hooks, and then populate them with appropriate rules. All these steps are performed using the nft
command, which you execute as root.
Listing 1 demonstrates how to define a firewall that does not (yet) let packets through. The first command (line 1) creates a table for IP packets of type filter
. Line 2 adds a chain to the filter
table. In line 3, a rule is added to the chain to discard all packets (drop
).
Listing 1
Setting Up a Chain
01 # nft add table ip filter 02 # nft add chain ip filter input {type filter hook input priority 0\;} 03 # nft add rule ip filter input drop 04 # nft list ruleset -a 05 # nft delete rule ip filter input handle 2
The command in line 4 gives an overview with all the rules on the firewall (Figure 3). In addition to the entries, there are comments in the form # handle handle_number
, which you use to reference the entries. This option is of particular interest if you want to delete or change existing specifications, or insert new ones before or after them. For example, the command from line 5 deletes the drop rule.
Basic Approach
nft
's developers chose the Berkeley Packet Filter (BPF) [9] to define the nomenclature of their rules, and they orient their work on the classic tcpdump
[10], so that you don't have to relearn everything [11].
nft
provides a number of address families: arp
(ARP), bridge
(previously provided by ebtables), inet
(includes IPv4 and IPv6), ip
(for IPv4), ip6
(for IPv6), and netdev
are predefined. netdev
is used to filter incoming packets before they reach Layer 3, according to the ISO/OSI specification.
nft
translates the rules and keeps them in a small virtual machine (nftables core
) for communication with the Linux kernel.
The example in Listing 2 demonstrates how to enable port 22 for incoming packets as needed for access via SSH. Thanks to nft
, the overhead is reduced to a single command, and the syntax is simpler.
Listing 2
Enabling Port 22
### Allow incoming packets on port 22. ### With Iptables: # iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT ### With Nft: $ nft add rule inet filter input tcp dport 22 ct state new,established accept
If you want to add two ports, 80 and 443 (i.e., HTTP and HTTPS), you need two extra lines per port for iptables. With nft
, however, you just need to extend the existing line to combine all three protocols at once. Port 22 is added in braces, followed by the two ports, 80 and 443 (Listing 3), separated by commas.
Listing 3
Adding Ports
# nft add rule inet filter input tcp dport { 22, 80, 443 } ct state new,established accept
Please note that the spaces within the brackets must be exactly as shown – otherwise Bash will swallow them up and complain. Users of Zsh run into the same problem, which you can resolve with suitable quoting.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.