Nftables

Introduction

Successor to iptables

Commands

nft list ruleset
nft -a list ruleset: list with handle to use for other delete and add commands
nft -i: interactive mode
sysctl -w net.ipv4.conf.all.log_matians=1: log kernel packet
- view by: tail -f /var/log/kern.log
sysctl -w net.ipv4.conf.all.route_localnet=1: allow routing to 127.0.0.x address

Chains

Rule action:
- drop: silently drop traffic
- reject: response to client with icmp message
- accept: accept traffic
- jump: Jump to chain and go back to this position
- goto: goto chain and will not go back

# policy.nft
flush ruleset
table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        tcp port counter jump CHAIN1
        tcp port counter goto CHAIN2
        ip protocol tcp counter jump CHAIN_TCP
        ip protocol udp counter jump CHAIN_UDP
        ip protocol icmp counter jump CHAIN_ICMP
    }

    chain CHAIN1 {
        counter
    }

    chain CHAIN2 {
        counter
    }

     chain CHAIN_TCP {
        counter accept
    }

    chain CHAIN_UDP {
        counter accept
    }

    chain CHAIN_ICMP {
        counter accept
    }
}

VMAP

flush ruleset
table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        ip protocol vmap {
            tcp : jump CHAIN_TCP,
            udp : jump CHAIN_UDP,
            icmp : jump CHAIN_ICMP
        }
    }
    
    chain CHAIN_TCP {
        counter accept
    }

    chain CHAIN_UDP {
        counter accept
    }

    chain CHAIN_ICMP {
        counter accept
    }
}

flush ruleset
table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        iifname . ip protocol vmap {
            eth0 . tcp : jump ETH0_CHAIN_TCP,
            eth0 . udp : jump ETH0_CHAIN_UDP,
            eth1 . icmp : jump ETH1_CHAIN_ICMP
        }
    }
    
    chain ETH0_CHAIN_TCP {
        counter accept
    }

    chain ETH0_CHAIN_UDP {
        counter accept
    }

    chain ETH1_CHAIN_ICMP {
        counter accept
    }
}

flush ruleset
table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        ct state vmap { established : accept, related: accept, invalid : drop}
        # ct state established, related accept
        # ct state invalid drop
    }
}

Set

    set allowed_ips {
        typeof ip saddr
        
        # allow adding prefix elements using: nft add element ip filter allowed_ips { 192.168.1.0/24 }
        flags interval
        # with constant, not allow to modify
        # flags interval, constant

        # auto combine ip address in elements such as 192.168.1.1 and 192.168.1.0/24 to 192.168.1.0/24
        auto-merge

        elements = {192.168.1.1, 192.168.1.2}
    }

nft add element ip filter allowed_ips { 192.16.1.1 - 192.168.1.10}: add a range to set

Configure firewall policies

load configuration: nft -f input.nft
Command to monitor:
- conntrack -L: list connection state table
- conntrack -L -p icmp: list icmp packets

Input Chain

# input.nft
# Remove all rule
flush ruleset

table ip filter {
    counter cnt_http {
    }

    counter cnt_ftp {
    }

    set allowed_ips {
        typeof ip saddr
        elements = {192.168.1.1, 192.168.1.2}
    }

    set allowed_ips_port {
        typeof ip saddr . tcp dport 21
        elements = {192.168.1.1 . 21, 192.168.1.2 . 21}
    }
    chain input {
        #default policy, if no packet matches
        type filter hook input priority filter; policy accept;

        # Allow outgoing packet from the server to return
        ct state established, related counter accept
        
        # Drop invalid packet
        ct state invalid counter drop
        
        # allow packets to loopback interface
        iif lo counter accept
        
        # accept connection on port 22
        tcp dport 22 accept
        # can use counter to count number of packets match
        # tcp dport 22 counter accept
        # or just access new connection on port 22
        # ct state new tcp dport 22 counter accept, next packet will be handle by ct state established, related above
        
        # log counter using cnt_http counter, allow source ip and combine both ports
        ct state new ip saddr {192.168.1.1, 192.168.1.2} tcp dport {80, 8080} counter name "cnt_http" accept
        # or similar to above, but use set
        # ct state new ip saddr @allowed_ips tcp dport {80, 8080} counter name "cnt_ftp" accept

        # allow IP to specific port
        ct state new ip saddr . tcp dport @_allowed_ips_port counter name "cnt_http" accept
        
        # drop unmatched traffic, and count packets
        counter drop
    }
}

Block traffic after 3 attempts

flush ruleset
table ip filter{
    set stage1 {
        typeof ip saddr
        flags timeout
    }
    
    set stage2 {
        typeof ip saddr
        flags timeout
    }

    set stage3 {
        typeof ip saddr
        flags timeout
    }
    chain input {
        type filter hook input priority filter; policy accept;
        ct state related, established accept
        ct state new ip saddr 192.168.1.1 tcp dport 22 accept

        # thrid connection will be added to stage1 which timeout after 1d
        ct state new ip saddr @stage2 tcp dport 22 add @stage3 {ip saddr timeout 1d}

        # second connection will be added to stage1 which timeout after 1 min
        ct state new ip saddr @stage1 tcp dport 22 add @stage2 {ip saddr timeout 1m}
        
        # first connection will be added to stage1 which timeout after 1 min
        ct state new tcp dport 22 add @stage1 {ip saddr timeout 1m}

        # connections match stage3 will be blocked
        ct state new ip saddr @stage3 tcp dport 22 drop
        

    }
}

Get statistics of outbound connections

Any new connection will log userid, destination address and port
Viewing statistics using: nft [-N] get ruleset, -N to do reverse DNS query of ip address

flush ruleset

table ip filter {
    set outgoing_tcp_connections {
        typeof meta skuid . ip daddr . tcp port;
        counter;
    }

    chain output {
        type filter hook output priority filter; policy accept;
        ct state new ip protocol tcp add @outgoing_tcp connections {meta skuid . ip daddr . tcp dport}
    }
}

Source Network Address Translation (SNAT)

flush ruleset
table ip nat {
    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        oifname eth0 masquerade
    }
}

Another way to do above

flush ruleset
table ip nat {
    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        oifname eth0 jump NAT_ETH0
    }

    chain NAT_ETH0 {
        # nat to ip of interface
        masquerade

        # can nat to specific IP instead of ip of interface
        # snat ip to 192.168.1.1

        # nat subnet to ip
        # ip saddr 192.168.0.0/24 snat ip to 192.168.1.1

        # nat subnet to ip range, interface must be assigned multiple addresses
        # ip saddr 192.168.0.0/24 snat ip to 192.168.1.1-192.168.13

        # using vmap and map ip to ip 
        # snat to ip saddr map {
        # 192.168.0.1 : 192.168.1.1,
        # 192.168.0.2 : 192.168.1.2
        # }
    }
}

Delete/Add rules

sudo nft delete rule ip nat POSTROUTING handle <rule-number>
# nft -a list ruleset: to see rule-number (handle)
sudo nft add rule ip nat POSTROUTING ip saddr 192.168.122.0/24 jump LIBVIRT_PRT

Insert rule

sudo nft insert rule ip nat POSTROUTING oifname "eth0" masquerade

Natting in load balancing way

flush ruleset

table ip nat {
    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        ip saddr 192.168.0.0/24 oifname eth0 snat to numgen [random|inc] mod 3 map {
        0 : 192.168.1.1,
        1 : 192.168.1.2,
        2 : 192.168.1.3
        }
    }
}

Destination Network Address Translation (DNAT)

Change address when packets arrive at the firewall

flush ruleset

table ip nat {
    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        # redirect port
        tcp dport 80 redirect 8080

        # dnat
        tcp dport 80 dnat to 192.168.1.1:8080

        # packet to port 80 on interface eth1 will be natted to another address and port
        iifname eth1 tcp dport 80 dnat to 192.168.1.1:8080: 
    }
}

flush ruleset

table ip nat {
    map ip_map {
        typeof tcp dport : ip daddr . tcp port
        elements = {
            80 : 192.168.1.1 . 8080,
            81 : 192.168.1.2 . 8081
        }
    }

    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        iifname eth1 dnat ip addr . port to tcp dport map @ip_map
    }
}

nft add element ip nat ip_map { 1234 : 1.1.1.1 . 1234 }: add element to the map

flush ruleset

table ip nat {
     chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        iifname eth1 fib daddr type local jump SERVICES
    }
    chain SERVICES {
        ip daddr 192.168.1.1 tcp dport 80 jump SERVER1_SVC
        ip daddr 192.168.1.2 tcp dport 80 jump SERVER2_SVC
    }
    chain SERVER1_SVC {
        ip protocol tcp dnat to 192.168.2.1:8080
    }
    chain SERVER2_SVC {
        ip protocol tcp dnat to 192.168.2.2:8080
    }
}

Change address when packets leave the firewall

flush ruleset

table ip nat {
    chain PREROUTING {
        type nat hook output priority mangle; policy accept;
        tcp dport 80 dnat to 192.168.1.1:8080
    }
}

Redirect Port

nft add table ip nat
nft add chain ip nat prerouting { type nat hook prerouting priority -100 \; }
nft add rule ip nat prerouting tcp dport 443 redirect to :8007

Above command will create the following ruleset

table ip nat {
    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        tcp dport 443 redirect to :8007
    }
}

Reference

Protecting Incoming Traffic with Nftables

PreviousIptables NextUncomplicated Firewall (UFW)

Last updated 5 months ago