nftables-0.9.3

Introduction to nftables

The nftables package, intended to be the successor to iptables-1.8.3, provides a low-level netlink programming interface (API), and userspace uitlities for the in-kernel nf_tables subsystem.

This package is known to build and work properly using an LFS-9.0 platform.

Package Information

nftables Dependencies

Required

libnftnl-1.1.5

Recommended

Optional

iptables-1.8.3 and DocBook-utils-0.6.14

Optional (runtime)

contrack-tools nfacct ulogd

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/nftables

Kernel Configuration

Enable the following options in the kernel configuration and recompile the kernel if necessary (add any additional nf_tables features as needed):

[*] Networking support [CONFIG_NET] --->
    Networking options --->
    [*] Network packet filtering framework (Netfilter) [CONFIG_NETFILTER] --->
        Core Netfilter Configuration --->
          <*> * protocol support [CONFIG_NF_CONNTRACK_*]
          <*> Netfilter nf_tables support [CONFIG_NF_TABLES]
          [*]   Netfilter nf_tables * support [CONFIG_NF_TABLES_*]

Include any connection tracking protocols that will be used, and any protocols that you wish to use for match suppport under the "Core Netfilter Configuration" section. Additionally, include any "Netfilter nf_tables * module" that will be used under the "Netfilter nf_tables support" section.

Installation of nftables

Install nftables by running the following commands:

./configure --prefix=/usr     \
            --sbindir=/sbin   \
            --sysconfdir=/etc \
            --with-json       \
            --with-python-bin=/usr/bin/python3 &&
make

This package does not come with a test suite.

Now, as the root user:

make install                   &&
mv /usr/lib/libnftables.so.* /lib &&
ln -sfv ../../lib/$(readlink /usr/lib/libnftables.so) /usr/lib/libnftables.so

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

--with-json: build with support for JSON rules. Omit if jansson-2.12 is not available.

--with-python-bin=/usr/bin/python3: force use of Python3.

--enable-man-doc: build man pages if asciidoc-8.6.9 is installed (required if adding json support).

--with-xtables: build with iptables-1.8.3 libxtables support.

mv -v /usr/lib/nftables.so.* ...: Move shared libraries into /lib so they are available before /usr is mounted.

Configuring nftables

[Note]

Note

If you intend to use firewalld-0.8.0 to configure your firewall rules, you should not use the example configuration provided here, nor should you enable the bootscript.

Masquerading Router

A network Firewall has two interfaces, one connected to an intranet, in this example LAN1, and one connected to the Internet, here WAN1. You will need to adjust these value to match your particular system. To provide the maximum security for the firewall itself, make sure that there are no unnecessary servers running on it such as X11 et al. As a general principle, the firewall itself should not access any untrusted service (think of a remote server giving answers that makes a daemon on your system crash, or even worse, that implements a worm via a buffer-overflow).

[Note]

Note

In the following example configuration, LAN1 is used for the internal LAN interface, and WAN1 is used for the external interface connected to the Internet. You will need to replace these values with appropriate interface names for your system.

cat > /etc/nftables/nftables.conf << "EOF"
#!/sbin/nft -f

# You're using the example configuration for a setup of a firewall
# from Beyond Linux From Scratch.
#
# This example is far from being complete, it is only meant
# to be a reference.
#
# Firewall security is a complex issue, that exceeds the scope
# of the configuration rules below.
#
# You can find additional information
# about firewalls in Chapter 4 of the BLFS book.
# http://www.linuxfromscratch.org/blfs

# Drop all existing rules
flush ruleset

# Filter for both ip4 and ip6 (inet)
table inet filter {

        # filter incomming packets
        chain input {

                # Drop everything that doesn't match policy
                type filter hook input priority 0; policy drop;

                # accept packets for established connections
                ct state { established, related } accept

                # Drop packets that have a connection state of invalid
                ct state invalid drop

                # Allow connections to the loopback adapter
                iifname "lo" accept

                # Allow connections to the LAN1 interface
                iifname "LAN1" accept

                # Accept icmp requests
                ip protocol icmp accept

                # Allow ssh connections on LAN1
                iifname "LAN1" tcp dport ssh accept

                # Drop everything else
                drop
        }

        # Allow forwarding for external connections to WAN1
        chain forward {

                # Drop if it doesn't match policy
                type filter hook forward priority 0; policy drop;

                # Accept connections on WAN1
                oifname "WAN1" accept

                # Allow forwarding to another host via this interface
                # Uncomment the following line to allow connections
                # ip daddr 192.168.0.2 ct status dnat accept

                # Allow established and related connections
                iifname "WAN1" ct state { established, related } accept
        }

        # Filter output traffic
        chain output {

                # Allow everything outbound
                type filter hook output priority 0; policy accept;
        }
}

# Allow NAT for ip protocol (both ip4 and ip6)
table ip nat {

        chain prerouting {

                # Accept on inbound interface for policy match
                type nat hook prerouting priority 0; policy accept;

                # Accept http and https on 192.168.0.2
                # Uncomment the following line to allow http and https
                #iifname "WAN1" tcp dport { http, https } dnat to 192.168.0.2
        }

        chain postrouting {

                # accept outbound
                type nat hook postrouting priority 0; policy accept;

                # Masquerade on WAN1 outbound
                oifname "WAN1" masquerade
        }
}
EOF

With this configuration your intranet should be reasonably secure against external attacks. No one should be able to setup a new connection to any internal service not configured above.

There are several other examples in the /etc/nftables directory.

Boot Script

To set up the nftables firewall at boot, install the /etc/rc.d/init.d/nftables init script included in the blfs-bootscripts-20191204 package.

make install-nftables

Contents

Installed Programs: nft
Installed Libraries: libnftables.{a,so}
Installed Directories: /etc/nftables

Short Descriptions

nft

command line interface for the nf_tables subsystem.

libnftables.{a,so}

provides functions for manipulating the nf_tables subsystem.

Last updated on $