Difference between revisions of "nftables"
From wiki
(Created page with "[https://netfilter.org/projects/nftables/ nftables] is the new firewall of the linux kernel. == Prerequisite == It is recommended to install the Kernel from Jessie Backpor...") |
m (https links) |
||
| (12 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | [https://netfilter.org/projects/nftables/ nftables] is the new firewall of the linux kernel. | + | [https://netfilter.org/projects/nftables/ nftables] is the new firewall of the linux kernel. It has several advantages over the existing {ip, ip6, arp,eb}tables: |
| + | * Only one command | ||
| + | * Rules that target both IPV4 and IPV6 | ||
| + | * More concise syntax | ||
| + | *[https://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables See details on the official wiki] | ||
| − | == | + | == Install == |
| + | <syntaxhighlight lang="console"> | ||
| + | $ sudo apt install nftables | ||
| + | </syntaxhighlight>You might also want to remove <code>iptables</code><syntaxhighlight lang="console"> | ||
| + | $ sudo apt purge iptables | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | == Configure == | ||
| + | |||
| + | === Create main table === | ||
| + | Create file <code>/etc/nftables/main_config.conf</code><syntaxhighlight lang="sh"> | ||
| + | # DNS | ||
| + | add element inet main udp_port_out { 53 } | ||
| + | add element inet main tcp_port_out { 53 } | ||
| + | # Network Time Protocol | ||
| + | add element inet main udp_port_out { 123 } | ||
| + | # OpenPGP HTTP Keyserver | ||
| + | add element inet main tcp_port_out { 11371 } | ||
| + | # SSH | ||
| + | add element inet main tcp_port_in { 2200 } | ||
| + | add element inet main tcp_port_out { 2200 } | ||
| + | # Web | ||
| + | add element inet main tcp_port_out { 80, 443 } | ||
| + | </syntaxhighlight>Create file <code>/etc/nftables/main.conf</code><syntaxhighlight lang="sh"> | ||
| + | #!/usr/sbin/nft -f | ||
| + | |||
| + | add table inet main | ||
| + | |||
| + | #Ports open for any IP address | ||
| + | add set inet main tcp_port_out { type inet_service; } | ||
| + | add set inet main tcp_port_in { type inet_service; } | ||
| + | add set inet main udp_port_out { type inet_service; } | ||
| + | add set inet main udp_port_in { type inet_service; } | ||
| + | add set inet main user_out { type uid; } | ||
| + | add set inet main user_in { type uid; } | ||
| + | |||
| + | include "/etc/nftables/main_config.conf" | ||
| + | |||
| + | # Remove spam in logs. Get your top noise whith | ||
| + | # grep Drop_in /var/log/syslog|sed -r 's/.*?PROTO=([A-Z]+).*?DPT=([0-9]+).*/\1 \2/'|sort|uniq -c|sort -rn | ||
| + | add set inet main tcp_scan_ports { type inet_service; } | ||
| + | add set inet main udp_scan_ports { type inet_service; } | ||
| + | add element inet main tcp_scan_ports { | ||
| + | 22, # SSH | ||
| + | 23, # Telnet | ||
| + | 1433, # MS SQL Login | ||
| + | 8080, # HTTP Alternate | ||
| + | 50661 # Apple Xsan | ||
| + | } | ||
| + | add element inet main udp_scan_ports { | ||
| + | 53, # DNS | ||
| + | 5060, # SIP | ||
| + | 53413 # https://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/ | ||
| + | } | ||
| + | |||
| + | chain inet main input { | ||
| + | type filter hook input priority 0; | ||
| − | + | # accept any localhost traffic | |
| + | iif lo accept | ||
| − | == | + | # accept traffic originated from us |
| − | <syntaxhighlight lang="console"> | + | ct state established,related accept |
| − | + | ct state invalid log prefix "Invalid_in " drop | |
| + | |||
| + | # accept neighbour discovery otherwise IPv6 connectivity breaks. | ||
| + | ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept | ||
| + | |||
| + | # accept ping | ||
| + | ip protocol icmp icmp type { echo-request } accept | ||
| + | |||
| + | tcp dport @tcp_port_in ct state new accept | ||
| + | udp dport @udp_port_in ct state new accept | ||
| + | meta skuid @user_in ct state new accept | ||
| + | |||
| + | tcp dport @tcp_scan_ports drop | ||
| + | udp dport @udp_scan_ports drop | ||
| + | |||
| + | # count and drop any other traffic | ||
| + | counter log prefix "Drop_in " drop | ||
| + | } | ||
| + | |||
| + | chain inet main output { | ||
| + | type filter hook output priority 0; | ||
| + | |||
| + | # accept any localhost traffic | ||
| + | oif lo accept | ||
| + | |||
| + | ct state established,related accept | ||
| + | ct state invalid log prefix "Invalid_out " drop | ||
| + | |||
| + | # accept neighbour discovery otherwise IPv6 connectivity breaks. | ||
| + | ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept | ||
| + | |||
| + | # accept ping | ||
| + | ip protocol icmp icmp type { echo-request } accept | ||
| + | |||
| + | tcp dport @tcp_port_out ct state new accept | ||
| + | udp dport @udp_port_out ct state new accept | ||
| + | meta skuid @user_out ct state new accept | ||
| + | |||
| + | counter log prefix "Drop_out " drop | ||
| + | } | ||
| + | </syntaxhighlight>{{Warning}}Double check the port for SSH before activating the script. | ||
| + | |||
| + | === Activation Scripts === | ||
| + | |||
| + | ==== /etc/nftables.conf ==== | ||
| + | Edit file <code>/etc/nftables.conf</code><syntaxhighlight lang="sh"> | ||
| + | #!/usr/sbin/nft -f | ||
| + | |||
| + | flush ruleset | ||
| + | |||
| + | include "/etc/nftables/main.conf" | ||
| + | </syntaxhighlight>This file is executed when you start nftables. You can also manually execute it without issue. | ||
| + | |||
| + | ==== /etc/nftables/reload_main.conf ==== | ||
| + | This script is used to reload only the main table without the others. The point is to integrate with tools like [[Fail2Ban]] which are inserting rules in the firewall. By reloading just the main table, you can activate your new rules without impacting Fail2Ban. | ||
| + | |||
| + | Create file <code>/etc/nftables/reload_main.conf</code><syntaxhighlight lang="sh"> | ||
| + | #!/usr/sbin/nft -f | ||
| + | |||
| + | delete table inet main | ||
| + | |||
| + | include "/etc/nftables/main.conf" | ||
| + | </syntaxhighlight>and make it executable<syntaxhighlight lang="console"> | ||
| + | $ sudo chmod +x /etc/nftables/reload_main.conf | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | == Test == | ||
| + | Test your firewall with the following command<syntaxhighlight lang="console"> | ||
| + | $ sudo -- sh -c 'nft -f /etc/nftables.conf; sleep 30; nft flush ruleset' | ||
| + | </syntaxhighlight>It will activate the firewall and reset it after 30 seconds. It allows you to not lock yourself out of your machine. | ||
| + | |||
| + | == Enable == | ||
| + | {{Warning}}It is recommended that you test your firewall before enabling it at boot time. An incorrectly configured firewall can lock you out of your machine.<syntaxhighlight lang="console"> | ||
| + | $ sudo systemctl enable nftables | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | [[Category:Debian Release]] | ||
| + | [[Category:Linux Desktop]] | ||
| + | [[Category:Linux Server]] | ||
| + | [[Category:nftables]] | ||
Latest revision as of 06:56, 22 December 2018
nftables is the new firewall of the linux kernel. It has several advantages over the existing {ip, ip6, arp,eb}tables:
- Only one command
- Rules that target both IPV4 and IPV6
- More concise syntax
- See details on the official wiki
Install
$ sudo apt install nftables
You might also want to remove iptables
$ sudo apt purge iptables
Configure
Create main table
Create file /etc/nftables/main_config.conf
# DNS
add element inet main udp_port_out { 53 }
add element inet main tcp_port_out { 53 }
# Network Time Protocol
add element inet main udp_port_out { 123 }
# OpenPGP HTTP Keyserver
add element inet main tcp_port_out { 11371 }
# SSH
add element inet main tcp_port_in { 2200 }
add element inet main tcp_port_out { 2200 }
# Web
add element inet main tcp_port_out { 80, 443 }
Create file /etc/nftables/main.conf
#!/usr/sbin/nft -f
add table inet main
#Ports open for any IP address
add set inet main tcp_port_out { type inet_service; }
add set inet main tcp_port_in { type inet_service; }
add set inet main udp_port_out { type inet_service; }
add set inet main udp_port_in { type inet_service; }
add set inet main user_out { type uid; }
add set inet main user_in { type uid; }
include "/etc/nftables/main_config.conf"
# Remove spam in logs. Get your top noise whith
# grep Drop_in /var/log/syslog|sed -r 's/.*?PROTO=([A-Z]+).*?DPT=([0-9]+).*/\1 \2/'|sort|uniq -c|sort -rn
add set inet main tcp_scan_ports { type inet_service; }
add set inet main udp_scan_ports { type inet_service; }
add element inet main tcp_scan_ports {
22, # SSH
23, # Telnet
1433, # MS SQL Login
8080, # HTTP Alternate
50661 # Apple Xsan
}
add element inet main udp_scan_ports {
53, # DNS
5060, # SIP
53413 # https://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
}
chain inet main input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
ct state invalid log prefix "Invalid_in " drop
# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# accept ping
ip protocol icmp icmp type { echo-request } accept
tcp dport @tcp_port_in ct state new accept
udp dport @udp_port_in ct state new accept
meta skuid @user_in ct state new accept
tcp dport @tcp_scan_ports drop
udp dport @udp_scan_ports drop
# count and drop any other traffic
counter log prefix "Drop_in " drop
}
chain inet main output {
type filter hook output priority 0;
# accept any localhost traffic
oif lo accept
ct state established,related accept
ct state invalid log prefix "Invalid_out " drop
# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# accept ping
ip protocol icmp icmp type { echo-request } accept
tcp dport @tcp_port_out ct state new accept
udp dport @udp_port_out ct state new accept
meta skuid @user_out ct state new accept
counter log prefix "Drop_out " drop
}
Warning: Double check the port for SSH before activating the script.
Activation Scripts
/etc/nftables.conf
Edit file /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
include "/etc/nftables/main.conf"
This file is executed when you start nftables. You can also manually execute it without issue.
/etc/nftables/reload_main.conf
This script is used to reload only the main table without the others. The point is to integrate with tools like Fail2Ban which are inserting rules in the firewall. By reloading just the main table, you can activate your new rules without impacting Fail2Ban.
Create file /etc/nftables/reload_main.conf
#!/usr/sbin/nft -f
delete table inet main
include "/etc/nftables/main.conf"
and make it executable
$ sudo chmod +x /etc/nftables/reload_main.conf
Test
Test your firewall with the following command
$ sudo -- sh -c 'nft -f /etc/nftables.conf; sleep 30; nft flush ruleset'
It will activate the firewall and reset it after 30 seconds. It allows you to not lock yourself out of your machine.
Enable
Warning: It is recommended that you test your firewall before enabling it at boot time. An incorrectly configured firewall can lock you out of your machine.
$ sudo systemctl enable nftables
