nft command: Tutorial & Examples

Configure the kernel's firewall

nftables is a packet filtering framework that can be used to configure open ports on a Linux system. It is a successor to the iptables firewall and is designed to be easier to use and more powerful than its predecessor.

How nft works

The nft command operates by interacting with the kernel's packet filtering infrastructure to manage firewall rules. It supports both IPv4 and IPv6 rulesets, allowing for versatile configurations tailored to the network environment. It effectively replaces the legacy iptables, providing a more streamlined approach to configuring network rules.

What nft does

The primary function of nft is to manage packet filtering rules, enabling or disabling connections based on user-defined criteria such as IP addresses, ports, and protocols. It can also manage NAT (Network Address Translation) rules and create tables and chains to organize rules systematically.

What nft is used for

nft is used for a variety of tasks, including:

• Setting rules for incoming and outgoing network traffic.
• Managing NAT (Network Address Translation) rules.
• Creating tables and chains to organize rules systematically.
• Implementing rate limiting and advanced packet filtering strategies.

Why nft is important

nft is important because it simplifies the management of complex firewall rules and provides a unified interface for both IPv4 and IPv6 filtering. It enhances security by allowing system administrators to create precise and efficient rulesets, and it significantly reduces the complexity compared to managing multiple tools.

Technical background

nft operates on top of the Netfilter framework in the Linux kernel, which provides hooks for packet processing. The rules defined using nft manipulate these hooks to allow or deny traffic based on the specified conditions. This framework allows for fast and efficient processing of packets, as rules are evaluated in a structured manner.

Common command line parameters

Some common parameters used with the nft command include:

• add: Adds a new rule or object.
• delete: Removes an existing rule or object.
• list: Displays current rules and settings.
• flush: Removes all rules from a specified table or chain.
• set: Modifies existing rules or objects.

Practical examples using nft

You can use the nft command to configure your firewall rules. To open a port, you can use the add rule command followed by the inet family and the tcp or udp protocol, depending on the type of port you want to open. For example, to open TCP port 80 for HTTP traffic, you could use the following command:

nft add rule inet filter input tcp dport 80 accept

You can also specify a specific IP address or network to which the port should be open. For example, to open TCP port 80 only to connections from the IP address 192.168.0.1, you could use the following command:

nft add rule inet filter input tcp dport 80 ip saddr 192.168.0.1 accept

To display the current configuration, you can use the following command:

nft list ruleset

The output will look similar to this:

table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ct state established,related accept
                ct state invalid drop
                iifname "lo" accept
                iifname "wg0" accept
                ip saddr 10.1.0.0/24 accept
                ip protocol icmp limit rate 4/second accept
                ip6 nexthdr ipv6-icmp limit rate 4/second accept
                ip protocol igmp limit rate 4/second accept
                tcp dport { 22 } accept
                tcp dport { 80, 443 } accept
                udp dport { 80, 443 } accept
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

Advanced usage of nft

nft provides advanced features that enhance its capabilities. For example, you can implement rate limiting:

nft add rule inet filter input tcp dport 80 limit rate 10/minute accept

This rule limits incoming connections to TCP port 80 to 10 per minute.

Additionally, you can use nft with sets, which allow you to manage groups of addresses or ports. This is useful for managing multiple IP addresses or ports more efficiently:

nft add set inet filter myset { type ipv4_addr; }
nft add element inet filter myset { 192.168.0.1, 192.168.0.2 }

You can then reference this set in your rules, making the configuration cleaner and more manageable.

Potential problems and pitfalls

Improper configuration of nft can lead to unintentional blocking of legitimate traffic or exposing services to the internet. It is crucial to test configurations in a safe environment before applying them to production systems. Additionally, always ensure that you have a way to access your system (like SSH) before applying rules that might block access.

Performance considerations

Using nft can improve performance compared to iptables due to its optimized rule evaluation process. The structure of rules in nft allows for efficient processing, especially in scenarios with a large number of rules. However, it is essential to keep rulesets organized to maintain performance.

Security considerations

When configuring nft, always follow best practices for security:

• Least privilege: Only allow necessary traffic to reduce exposure.
• Logging: Implement logging for dropped packets to monitor suspicious activity.
• Backup: Regularly back up your rulesets to prevent loss of configuration.

Tips and best practices

• Regularly review and audit your firewall rules.

• Keep your rulesets as simple as possible to enhance performance and maintainability.

• Use logging to monitor dropped packets for troubleshooting. You can enable logging using:

  nft add rule inet filter input tcp dport 80 log prefix "HTTP drop: " drop
  

• Document changes to your firewall rules for future reference.

Common errors and troubleshooting

• Module not found: Ensure that nftables is installed and loaded in the kernel. Check with:

  lsmod | grep nft
  

• Syntax errors: Double-check command syntax and ensure proper spacing and punctuation. Use nft -f to check the syntax of your ruleset file before applying.

• Policy issues: Review default policies to avoid unintentional blocking of traffic. Use nft list ruleset to check current policies.

See also

• iptables
• tcpdump
• Network issue
• NAT
• Firewall

Further Reading

• Linux for Networking Professionals by Rob Vandenbrink (partner link)
• Understanding Linux Network Internals by Christian Benvenuti (partner link)
• Linux Networking Cookbook by Carla Schroder (partner link)
• Linux Security Cookbook by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes (partner link)
• Linux Firewalls: Attack Detection and Response by Michael Rash (partner link)

As an Amazon Associate, I earn from qualifying purchases.