Exploring the new nftables firewall tool – a successor to iptables
Traffic Rules
The nftables firewall utility offers a simpler and more consistent approach for managing firewalls in Linux.
If you are training to become a network administrator, or even if you just want to get better at Linux, you cannot avoid dealing with the topic of firewalls, including the rules for filtering packets on the network.
The iptables firewall tool [1] is slightly long in the tooth, and the program code in particular has become more and more complex. Small changes in the project core affected all the tools associated with the project. Iptables, ip6tables, ebtables, and arptables all originate from the same codebase – not in the form of modules, but by code duplication. Accordingly, the four tools drifted apart over time. Iptables was best maintained, and ebtables was neglected. Bugs patched in iptables still existed in Ebtables years later.
The problems with maintaining the iptables code base prompted the development of a successor called nftables [2] back in 2009 by the netfilter project [3]. The first two letters of nftables are derived from the project; nftables simply means "netfilter tables." The stated development goals include higher data throughput, greater scalability with a view to changing requirements, and, in particular, a modular structure that is easier to maintain. Since Linux 3.13 (January 2014), nftables has existed directly in the kernel [4]. The nftables firewall tool uses internal, proven components of the netfilter project.
As of the release of Debian 10 "Buster," which is planned for summer 2019, Debian will completely rely on nftables [5], which will also affect derivatives like Ubuntu and Linux Mint. Red Hat-based distros are also moving to more reliance on nftables. The current releases of most Linux distributions already contain nftables – not enabled, but ready for use.
Extensions and Conversions
You can create rules for firewalls with the command-line tools iptables
(IPv4), ip6tables
(IPv6), arptables
(ARP packets), and ebtables
(Ethernet frames). Nftables replaces all four with a single command-line tool named nft
, which now sets all the rules for accepting, forwarding, modifying, or rejecting packets from the network on the system.
Iptables uses different filters and three processing chains named INPUT
, FORWARD
, and OUTPUT
to handle packets. The nftables framework does not have any similar built-in chains – you'll have to define the chains yourself.
Nft uses two libraries: libmnl, a minimalist Netlink library [6], and libnfnetlink, a Netlink library in userspace [7]. As a result, the size of the code in the Linux kernel is smaller, and small changes to nft
do not mean that you need to customize the kernel [8].
To make sure that the appropriate kernel module is loaded in your system kernel, work with the output from the modinfo
(Figure 1) and lsmod
(Figure 2) commands. The feedback in the examples shown is positive and lets you get started with nft
directly.
Basic Configuration
Nftables starts with a completely empty ruleset; there are no predefined tables, chains, or rules. As the user (or admin), you first create the tables, add chains that latch into the Linux kernel as netfilter hooks, and then populate them with appropriate rules. All these steps are performed using the nft
command, which you execute as root.
Listing 1 demonstrates how to define a firewall that does not (yet) let packets through. The first command (line 1) creates a table for IP packets of type filter
. Line 2 adds a chain to the filter
table. In line 3, a rule is added to the chain to discard all packets (drop
).
Listing 1
Setting Up a Chain
01 # nft add table ip filter 02 # nft add chain ip filter input {type filter hook input priority 0\;} 03 # nft add rule ip filter input drop 04 # nft list ruleset -a 05 # nft delete rule ip filter input handle 2
The command in line 4 gives an overview with all the rules on the firewall (Figure 3). In addition to the entries, there are comments in the form # handle handle_number
, which you use to reference the entries. This option is of particular interest if you want to delete or change existing specifications, or insert new ones before or after them. For example, the command from line 5 deletes the drop rule.
Basic Approach
nft
's developers chose the Berkeley Packet Filter (BPF) [9] to define the nomenclature of their rules, and they orient their work on the classic tcpdump
[10], so that you don't have to relearn everything [11].
nft
provides a number of address families: arp
(ARP), bridge
(previously provided by ebtables), inet
(includes IPv4 and IPv6), ip
(for IPv4), ip6
(for IPv6), and netdev
are predefined. netdev
is used to filter incoming packets before they reach Layer 3, according to the ISO/OSI specification.
nft
translates the rules and keeps them in a small virtual machine (nftables core
) for communication with the Linux kernel.
The example in Listing 2 demonstrates how to enable port 22 for incoming packets as needed for access via SSH. Thanks to nft
, the overhead is reduced to a single command, and the syntax is simpler.
Listing 2
Enabling Port 22
### Allow incoming packets on port 22. ### With Iptables: # iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT ### With Nft: $ nft add rule inet filter input tcp dport 22 ct state new,established accept
If you want to add two ports, 80 and 443 (i.e., HTTP and HTTPS), you need two extra lines per port for iptables. With nft
, however, you just need to extend the existing line to combine all three protocols at once. Port 22 is added in braces, followed by the two ports, 80 and 443 (Listing 3), separated by commas.
Listing 3
Adding Ports
# nft add rule inet filter input tcp dport { 22, 80, 443 } ct state new,established accept
Please note that the spaces within the brackets must be exactly as shown – otherwise Bash will swallow them up and complain. Users of Zsh run into the same problem, which you can resolve with suitable quoting.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.