nft command: Tutorial & Examples
Configure the kernel's firewall
nftables is a packet filtering framework that can be used to configure open ports on a Linux system. It is a successor to the iptables firewall and is designed to be easier to use and more powerful than its predecessor.
How nft works
The nft command operates by interacting with the kernel's packet filtering infrastructure to manage firewall rules. It supports both IPv4 and IPv6 rulesets, allowing for versatile configurations tailored to the network environment. It effectively replaces the legacy iptables, providing a more streamlined approach to configuring network rules.
What nft does
The primary function of nft is to manage packet filtering rules, enabling or disabling connections based on user-defined criteria such as IP addresses, ports, and protocols. It can also manage NAT (Network Address Translation) rules and create tables and chains to organize rules systematically.
What nft is used for
nft is used for a variety of tasks, including:
- Setting rules for incoming and outgoing network traffic.
- Managing NAT (Network Address Translation) rules.
- Creating tables and chains to organize rules systematically.
- Implementing rate limiting and advanced packet filtering strategies.
Why nft is important
nft is important because it simplifies the management of complex firewall rules and provides a unified interface for both IPv4 and IPv6 filtering. It enhances security by allowing system administrators to create precise and efficient rulesets, and it significantly reduces the complexity compared to managing multiple tools.
Technical background
nft operates on top of the Netfilter framework in the Linux kernel, which provides hooks for packet processing. The rules defined using nft manipulate these hooks to allow or deny traffic based on the specified conditions. This framework allows for fast and efficient processing of packets, as rules are evaluated in a structured manner.
Common command line parameters
Some common parameters used with the nft command include:
add: Adds a new rule or object.delete: Removes an existing rule or object.list: Displays current rules and settings.flush: Removes all rules from a specified table or chain.set: Modifies existing rules or objects.
Practical examples using nft
You can use the nft command to configure your firewall rules. To open a port, you can use the add rule command followed by the inet family and the tcp or udp protocol, depending on the type of port you want to open. For example, to open TCP port 80 for HTTP traffic, you could use the following command:
nft add rule inet filter input tcp dport 80 accept
You can also specify a specific IP address or network to which the port should be open. For example, to open TCP port 80 only to connections from the IP address 192.168.0.1, you could use the following command:
nft add rule inet filter input tcp dport 80 ip saddr 192.168.0.1 accept
To display the current configuration, you can use the following command:
nft list ruleset
The output will look similar to this:
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
iifname "lo" accept
iifname "wg0" accept
ip saddr 10.1.0.0/24 accept
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
tcp dport { 22 } accept
tcp dport { 80, 443 } accept
udp dport { 80, 443 } accept
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
Advanced usage of nft
nft provides advanced features that enhance its capabilities. For example, you can implement rate limiting:
nft add rule inet filter input tcp dport 80 limit rate 10/minute accept
This rule limits incoming connections to TCP port 80 to 10 per minute.
Additionally, you can use nft with sets, which allow you to manage groups of addresses or ports. This is useful for managing multiple IP addresses or ports more efficiently:
nft add set inet filter myset { type ipv4_addr; }
nft add element inet filter myset { 192.168.0.1, 192.168.0.2 }
You can then reference this set in your rules, making the configuration cleaner and more manageable.
Potential problems and pitfalls
Improper configuration of nft can lead to unintentional blocking of legitimate traffic or exposing services to the internet. It is crucial to test configurations in a safe environment before applying them to production systems. Additionally, always ensure that you have a way to access your system (like SSH) before applying rules that might block access.
Performance considerations
Using nft can improve performance compared to iptables due to its optimized rule evaluation process. The structure of rules in nft allows for efficient processing, especially in scenarios with a large number of rules. However, it is essential to keep rulesets organized to maintain performance.
Security considerations
When configuring nft, always follow best practices for security:
- Least privilege: Only allow necessary traffic to reduce exposure.
- Logging: Implement logging for dropped packets to monitor suspicious activity.
- Backup: Regularly back up your rulesets to prevent loss of configuration.
Tips and best practices
Regularly review and audit your firewall rules.
Keep your rulesets as simple as possible to enhance performance and maintainability.
Use logging to monitor dropped packets for troubleshooting. You can enable logging using:
nft add rule inet filter input tcp dport 80 log prefix "HTTP drop: " dropDocument changes to your firewall rules for future reference.
Common errors and troubleshooting
Module not found: Ensure that
nftablesis installed and loaded in the kernel. Check with:lsmod | grep nftSyntax errors: Double-check command syntax and ensure proper spacing and punctuation. Use
nft -fto check the syntax of your ruleset file before applying.Policy issues: Review default policies to avoid unintentional blocking of traffic. Use
nft list rulesetto check current policies.
