nftables

Notes

Examples

sudo nft add table ip <RULE_NAME>

sudo nft add chain ip <RULE_NAME> FILTER { type filter hook input priority 0 \; policy accept \; }

sudo nft add rule ip <RULE_NAME> FILTER tcp sport {ssh, telnet, 3389, 6010-6050} ct state {new, established} accept

sudo nft list ruleset

sudo nft add chain ip <RULE_NAME> FILTER1 { type filter hook output priority 0 \; policy accept \; }

sudo nft list ruleset

sudo nft add rule ip <RULE_NAME> FILTER1 tcp sport {ssh, telnet, 3389, 6010-6050} ct state {new, established} accept

sudo nft add rule ip <RULE_NAME> FILTER tcp dport {ssh, telnet, 3389, 6010-6050} ct state {new, established} accept

sudo nft add rule ip <RULE_NAME> FILTER1 tcp dport {ssh, telnet, 3389, 6010-6050} ct state {new, established} accept

NFTable Families

ip - IPv4 packets

ip6 - IPv6 packets

inet - IPv4 and IPv6 packets

arp - layer 2

bridge - processing traffic/packets traversing bridges.

netdev - allows for user classification of packets - nftables passes up to the networking stack (no counterpart in iptables)

There are three chain types:

filter - to filter packets - can be used with arp, bridge, ip, ip6, and inet families

route - to reroute packets - can be used with ip and ipv6 families only

nat - used for Network Address Translation - used with ip and ip6 table families only

CREATION OF HOOKS

PREROUTING

POSTROUTING

INPUT

OUTPUT

FORWARD

INGRESS - used with NETDEV family only

1. CREATE THE TABLE

nft add table [family] [table]

[family]

Represents the network protocol family such as ip, ip6, inet, arp, bridge, and netdev.

[table]

Denotes a user-provided name for the table.

2. CREATE THE BASE CHAIN

nft add chain [family] [table] [chain] { type [type] hook [hook] priority [priority] ; policy [policy] ;}

[chain]

User-defined name for the chain.

[type]

Represents the type of chain, which can be filter, route, or nat.

[hook]

Specifies the hook at which the chain should be activated, such as prerouting, ingress, input, forward, output, or postrouting.

[priority]

User-provided integer representing the priority of the rule. Lower number indicates higher priority. Default is 0. Use "--" before negative numbers.

; [policy] ;

Used to set the policy for the chain, which can be accept (default) or drop.

Use "" to escape the ";" in bash

3. CREATE A RULE IN THE CHAIN

nft add rule [family] [table] [chain] [matches (matches)] [statement]

[matches]

Typically represents protocol headers (e.g., ip, ip6, tcp, udp, icmp, ether, etc.).

(matches)

Refers to specific matches within the [matches] field.

[statement]

Specifies the action performed when a packet is matched. Examples include log, accept, drop, reject, counter, nat (dnat, snat, masquerade).

MODIFY NFTABLES

nft {list | flush} ruleset
nft {delete | list | flush } table [family] [table]
nft {delete | list | flush } chain [family] [table] [chain]
nft list table [family] [table] [-a]

Adds after position

nft add rule [family] [table] [chain] [position <position>] [matches (matches)] [statement]

Inserts before position

nft insert rule [family] [table] [chain] [position <position>] [matches (matches)] [statement]

Replaces rule at handle

nft replace rule [family] [table] [chain] [handle <handle>] [matches (matches)] [statement]

Deletes rule at handle

nft delete rule [family] [table] [chain] [handle <handle>]

Save/Load nftables

Save the nftables rules:

nft list ruleset > /etc/nftables.configuration

Load the saved nftables configuration using the nft command:

nft -f /etc/nftables.conf

Filter for SSH Traffic (Example)

Rules

Host A:

nft add table ip FILTER

nft add chain ip FILTER INPUT { type filter hook input priority 0 \; policy accept \;}

nft add chain ip FILTER OUTPUT { type filter hook output priority 0 \; policy accept \;}

Host B:

nft add table ip FILTER

nft add chain ip FILTER INPUT { type filter hook input priority 0 \; policy accept \;}

nft add chain ip FILTER OUTPUT { type filter hook output priority 0 \; policy accept \;}

Host A:

nft add rule ip FILTER OUTPUT tcp dport 22 ct state { new, established } accept
nft add rule ip FILTER INPUT tcp sport 22 ct state { new, established } accept

Host B:

nft add rule ip FILTER INPUT tcp dport 22 ct state { new, established } accept
nft add rule ip FILTER OUTPUT tcp sport 22 ct state { new, established } accept

Host A:

nft add rule ip FILTER INPUT tcp dport 22 ct state { new, established } accept
nft add rule ip FILTER OUTPUT tcp sport 22 ct state { new, established } accept

Host B:

nft add rule ip FILTER OUTPUT tcp dport 22 ct state { new, established } accept
nft add rule ip FILTER INPUT tcp sport 22  ct state { new, established } accept

Host A:

nft add chain ip FILTER INPUT { \; policy drop \;}
nft add chain ip FILTER OUTPUT { \; policy drop \;}

Host B:

nft add chain ip FILTER INPUT { \; policy drop \;}
nft add chain ip FILTER OUTPUT { \; policy drop \;}

NAT, PAT, and NAT Port Forwarding (Examples)

Enable IP Forwarding:

Iecho 1 > /proc/sys/net/ipv4/ip_forward
nft add table ip NAT
nft add chain ip NAT PREROUTING { type nat hook prerouting priority 0 \; }
nft add chain ip NAT POSTROUTING { type nat hook postrouting priority 0 \; }

1-to-1 NAT (for the servers if you have extra IP's)

nft add rule ip NAT POSTROUTING oif eth0 ip saddr 10.0.0.10 snat to 100.1.1.10
nft add rule ip NAT POSTROUTING oif eth0 ip saddr 10.0.0.11 snat to 100.1.1.11
nft add rule ip NAT POSTROUTING oif eth0 ip saddr 10.0.0.12 snat to 100.1.1.12

PAT (for the clients)

nft add rule ip NAT POSTROUTING oif eth0 masquerade

Port Forward (for the servers if you don't have extra IP's)

nft add rule ip NAT PREROUTING iif eth0 tcp dport 80 dnat to 10.0.0.10:80
nft add rule ip NAT PREROUTING iif eth0 tcp dport 21 dnat to 10.0.0.11:21
nft add rule ip NAT PREROUTING iif eth0 tcp dport 23 dnat to 10.0.0.12:23
PreviousFilter for SSH Traffic (Example)NextPacket Capture

Last updated

Was this helpful?