Nftables

Introduction

Successor to iptables

Commands

nft list ruleset
nft -a list ruleset: list with handle to use for other delete and add commands
nft -i: interactive mode
sysctl -w net.ipv4.conf.all.log_matians=1: log kernel packet
- view by: tail -f /var/log/kern.log
sysctl -w net.ipv4.conf.all.route_localnet=1: allow routing to 127.0.0.x address

Chains

Rule action:
- drop: silently drop traffic
- reject: response to client with icmp message
- accept: accept traffic
- jump: Jump to chain and go back to this position
- goto: goto chain and will not go back

# policy.nft
flush ruleset
table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        tcp port counter jump CHAIN1
        tcp port counter goto CHAIN2
        ip protocol tcp counter jump CHAIN_TCP
        ip protocol udp counter jump CHAIN_UDP
        ip protocol icmp counter jump CHAIN_ICMP
    }

    chain CHAIN1 {
        counter
    }

    chain CHAIN2 {
        counter
    }

     chain CHAIN_TCP {
        counter accept
    }

    chain CHAIN_UDP {
        counter accept
    }

    chain CHAIN_ICMP {
        counter accept
    }
}

VMAP

flush ruleset
table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        ip protocol vmap {
            tcp : jump CHAIN_TCP,
            udp : jump CHAIN_UDP,
            icmp : jump CHAIN_ICMP
        }
    }
    
    chain CHAIN_TCP {
        counter accept
    }

    chain CHAIN_UDP {
        counter accept
    }

    chain CHAIN_ICMP {
        counter accept
    }
}

flush ruleset
table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        iifname . ip protocol vmap {
            eth0 . tcp : jump ETH0_CHAIN_TCP,
            eth0 . udp : jump ETH0_CHAIN_UDP,
            eth1 . icmp : jump ETH1_CHAIN_ICMP
        }
    }
    
    chain ETH0_CHAIN_TCP {
        counter accept
    }

    chain ETH0_CHAIN_UDP {
        counter accept
    }

    chain ETH1_CHAIN_ICMP {
        counter accept
    }
}

flush ruleset
table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        ct state vmap { established : accept, related: accept, invalid : drop}
        # ct state established, related accept
        # ct state invalid drop
    }
}

Set

    set allowed_ips {
        typeof ip saddr
        
        # allow adding prefix elements using: nft add element ip filter allowed_ips { 192.168.1.0/24 }
        flags interval
        # with constant, not allow to modify
        # flags interval, constant

        # auto combine ip address in elements such as 192.168.1.1 and 192.168.1.0/24 to 192.168.1.0/24
        auto-merge

        elements = {192.168.1.1, 192.168.1.2}
    }

nft add element ip filter allowed_ips { 192.16.1.1 - 192.168.1.10}: add a range to set

Configure firewall policies

load configuration: nft -f input.nft
Command to monitor:
- conntrack -L: list connection state table
- conntrack -L -p icmp: list icmp packets

Input Chain

# input.nft
# Remove all rule
flush ruleset

table ip filter {
    counter cnt_http {
    }

    counter cnt_ftp {
    }

    set allowed_ips {
        typeof ip saddr
        elements = {192.168.1.1, 192.168.1.2}
    }

    set allowed_ips_port {
        typeof ip saddr . tcp dport 21
        elements = {192.168.1.1 . 21, 192.168.1.2 . 21}
    }
    chain input {
        #default policy, if no packet matches
        type filter hook input priority filter; policy accept;

        # Allow outgoing packet from the server to return
        ct state established, related counter accept
        
        # Drop invalid packet
        ct state invalid counter drop
        
        # allow packets to loopback interface
        iif lo counter accept
        
        # accept connection on port 22
        tcp dport 22 accept
        # can use counter to count number of packets match
        # tcp dport 22 counter accept
        # or just access new connection on port 22
        # ct state new tcp dport 22 counter accept, next packet will be handle by ct state established, related above
        
        # log counter using cnt_http counter, allow source ip and combine both ports
        ct state new ip saddr {192.168.1.1, 192.168.1.2} tcp dport {80, 8080} counter name "cnt_http" accept
        # or similar to above, but use set
        # ct state new ip saddr @allowed_ips tcp dport {80, 8080} counter name "cnt_ftp" accept

        # allow IP to specific port
        ct state new ip saddr . tcp dport @_allowed_ips_port counter name "cnt_http" accept
        
        # drop unmatched traffic, and count packets
        counter drop
    }
}

Block traffic after 3 attempts

flush ruleset
table ip filter{
    set stage1 {
        typeof ip saddr
        flags timeout
    }
    
    set stage2 {
        typeof ip saddr
        flags timeout
    }

    set stage3 {
        typeof ip saddr
        flags timeout
    }
    chain input {
        type filter hook input priority filter; policy accept;
        ct state related, established accept
        ct state new ip saddr 192.168.1.1 tcp dport 22 accept

        # thrid connection will be added to stage1 which timeout after 1d
        ct state new ip saddr @stage2 tcp dport 22 add @stage3 {ip saddr timeout 1d}

        # second connection will be added to stage1 which timeout after 1 min
        ct state new ip saddr @stage1 tcp dport 22 add @stage2 {ip saddr timeout 1m}
        
        # first connection will be added to stage1 which timeout after 1 min
        ct state new tcp dport 22 add @stage1 {ip saddr timeout 1m}

        # connections match stage3 will be blocked
        ct state new ip saddr @stage3 tcp dport 22 drop
        

    }
}

Get statistics of outbound connections

Any new connection will log userid, destination address and port
Viewing statistics using: nft [-N] get ruleset, -N to do reverse DNS query of ip address

flush ruleset

table ip filter {
    set outgoing_tcp_connections {
        typeof meta skuid . ip daddr . tcp port;
        counter;
    }

    chain output {
        type filter hook output priority filter; policy accept;
        ct state new ip protocol tcp add @outgoing_tcp connections {meta skuid . ip daddr . tcp dport}
    }
}

Source Network Address Translation (SNAT)

flush ruleset
table ip nat {
    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        oifname eth0 masquerade
    }
}

Another way to do above

flush ruleset
table ip nat {
    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        oifname eth0 jump NAT_ETH0
    }

    chain NAT_ETH0 {
        # nat to ip of interface
        masquerade

        # can nat to specific IP instead of ip of interface
        # snat ip to 192.168.1.1

        # nat subnet to ip
        # ip saddr 192.168.0.0/24 snat ip to 192.168.1.1

        # nat subnet to ip range, interface must be assigned multiple addresses
        # ip saddr 192.168.0.0/24 snat ip to 192.168.1.1-192.168.13

        # using vmap and map ip to ip 
        # snat to ip saddr map {
        # 192.168.0.1 : 192.168.1.1,
        # 192.168.0.2 : 192.168.1.2
        # }
    }
}

Delete/Add rules

sudo nft delete rule ip nat POSTROUTING handle <rule-number>
# nft -a list ruleset: to see rule-number (handle)
sudo nft add rule ip nat POSTROUTING ip saddr 192.168.122.0/24 jump LIBVIRT_PRT

Insert rule

sudo nft insert rule ip nat POSTROUTING oifname "eth0" masquerade

Natting in load balancing way

flush ruleset

table ip nat {
    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        ip saddr 192.168.0.0/24 oifname eth0 snat to numgen [random|inc] mod 3 map {
        0 : 192.168.1.1,
        1 : 192.168.1.2,
        2 : 192.168.1.3
        }
    }
}

Destination Network Address Translation (DNAT)

Change address when packets arrive at the firewall

flush ruleset

table ip nat {
    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        # redirect port
        tcp dport 80 redirect 8080

        # dnat
        tcp dport 80 dnat to 192.168.1.1:8080

        # packet to port 80 on interface eth1 will be natted to another address and port
        iifname eth1 tcp dport 80 dnat to 192.168.1.1:8080: 
    }
}

flush ruleset

table ip nat {
    map ip_map {
        typeof tcp dport : ip daddr . tcp port
        elements = {
            80 : 192.168.1.1 . 8080,
            81 : 192.168.1.2 . 8081
        }
    }

    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        iifname eth1 dnat ip addr . port to tcp dport map @ip_map
    }
}

nft add element ip nat ip_map { 1234 : 1.1.1.1 . 1234 }: add element to the map

flush ruleset

table ip nat {
     chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        iifname eth1 fib daddr type local jump SERVICES
    }
    chain SERVICES {
        ip daddr 192.168.1.1 tcp dport 80 jump SERVER1_SVC
        ip daddr 192.168.1.2 tcp dport 80 jump SERVER2_SVC
    }
    chain SERVER1_SVC {
        ip protocol tcp dnat to 192.168.2.1:8080
    }
    chain SERVER2_SVC {
        ip protocol tcp dnat to 192.168.2.2:8080
    }
}

Change address when packets leave the firewall

flush ruleset

table ip nat {
    chain PREROUTING {
        type nat hook output priority mangle; policy accept;
        tcp dport 80 dnat to 192.168.1.1:8080
    }
}

Redirect Port

nft add table ip nat
nft add chain ip nat prerouting { type nat hook prerouting priority -100 \; }
nft add rule ip nat prerouting tcp dport 443 redirect to :8007

Above command will create the following ruleset

table ip nat {
    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        tcp dport 443 redirect to :8007
    }
}

Reference

Protecting Incoming Traffic with Nftables

PreviousIptables NextUncomplicated Firewall (UFW)

Last updated 7 months ago

hashtagIntroduction

hashtagCommands

hashtagChains

hashtagVMAP

hashtagSet

hashtagConfigure firewall policies

hashtagInput Chain

hashtagBlock traffic after 3 attempts

hashtagGet statistics of outbound connections

hashtagSource Network Address Translation (SNAT)

hashtagNatting in load balancing way

hashtagDestination Network Address Translation (DNAT)

hashtagChange address when packets arrive at the firewall

hashtagChange address when packets leave the firewall

hashtagRedirect Port

hashtagReference

Introduction

Commands

Chains

VMAP

Set

Configure firewall policies

Input Chain

Block traffic after 3 attempts

Get statistics of outbound connections

Source Network Address Translation (SNAT)

Natting in load balancing way

Destination Network Address Translation (DNAT)

Change address when packets arrive at the firewall

Change address when packets leave the firewall

Redirect Port

Reference