Difference between revisions of "nftables"

From wiki
(Add dropped port for MS SQL)
m (https links)
 
(4 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
* Rules that target both IPV4 and IPV6
 
* Rules that target both IPV4 and IPV6
 
* More concise syntax
 
* More concise syntax
* [http://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables See details on the official wiki]
+
*[https://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables See details on the official wiki]
 
 
== Prerequisite ==
 
 
 
If you are running Debian Jessie, it is recommended to install the [[Kernel from Jessie Backports|kernel from Jessie Backports]].
 
  
 
== Install ==
 
== Install ==
 
<syntaxhighlight lang="console">
 
<syntaxhighlight lang="console">
# apt install nftables
+
$ sudo apt install nftables
 
</syntaxhighlight>You might also want to remove <code>iptables</code><syntaxhighlight lang="console">
 
</syntaxhighlight>You might also want to remove <code>iptables</code><syntaxhighlight lang="console">
# apt purge iptables
+
$ sudo apt purge iptables
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 19: Line 15:
  
 
=== Create main table ===
 
=== Create main table ===
Create file <code>/etc/nftables/main.conf</code><syntaxhighlight lang="sh">
+
Create file <code>/etc/nftables/main_config.conf</code><syntaxhighlight lang="sh">
#!/usr/sbin/nft -f
 
 
 
add table inet main
 
 
 
#Ports open for any IP address
 
add set  inet main  tcp_port_out { type inet_service; }
 
add set  inet main  tcp_port_in { type inet_service; }
 
add set  inet main  udp_port_out { type inet_service; }
 
add set  inet main  udp_port_in { type inet_service; }
 
 
 
 
# DNS
 
# DNS
 
add element  inet main  udp_port_out { 53 }
 
add element  inet main  udp_port_out { 53 }
Line 42: Line 28:
 
# Web
 
# Web
 
add element  inet main  tcp_port_out { 80, 443 }
 
add element  inet main  tcp_port_out { 80, 443 }
 +
</syntaxhighlight>Create file <code>/etc/nftables/main.conf</code><syntaxhighlight lang="sh">
 +
#!/usr/sbin/nft -f
 +
 +
add table inet main
 +
 +
#Ports open for any IP address
 +
add set  inet main  tcp_port_out { type inet_service; }
 +
add set  inet main  tcp_port_in { type inet_service; }
 +
add set  inet main  udp_port_out { type inet_service; }
 +
add set  inet main  udp_port_in { type inet_service; }
 +
add set  inet main  user_out { type uid; }
 +
add set  inet main  user_in { type uid; }
 +
 +
include "/etc/nftables/main_config.conf"
  
 
# Remove spam in logs. Get your top noise whith
 
# Remove spam in logs. Get your top noise whith
Line 50: Line 50:
 
22, # SSH
 
22, # SSH
 
23, # Telnet
 
23, # Telnet
1433 # MS SQL Login
+
1433, # MS SQL Login
 +
8080, # HTTP Alternate
 +
50661 # Apple Xsan
 
}
 
}
 
add element  inet main  udp_scan_ports {
 
add element  inet main  udp_scan_ports {
 
53, # DNS
 
53, # DNS
 
5060, # SIP
 
5060, # SIP
53413 # http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
+
53413 # https://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
 
}
 
}
  
Line 76: Line 78:
 
         tcp  dport @tcp_port_in  ct state new  accept
 
         tcp  dport @tcp_port_in  ct state new  accept
 
         udp  dport @udp_port_in  ct state new  accept
 
         udp  dport @udp_port_in  ct state new  accept
 +
        meta skuid @user_in  ct state new  accept
  
 
         tcp dport @tcp_scan_ports drop
 
         tcp dport @tcp_scan_ports drop
Line 101: Line 104:
 
         tcp  dport @tcp_port_out  ct state new accept
 
         tcp  dport @tcp_port_out  ct state new accept
 
         udp  dport @udp_port_out  ct state new accept
 
         udp  dport @udp_port_out  ct state new accept
 +
        meta skuid @user_out  ct state new  accept
  
 
         counter  log prefix "Drop_out "  drop
 
         counter  log prefix "Drop_out "  drop
Line 127: Line 131:
 
include "/etc/nftables/main.conf"
 
include "/etc/nftables/main.conf"
 
</syntaxhighlight>and make it executable<syntaxhighlight lang="console">
 
</syntaxhighlight>and make it executable<syntaxhighlight lang="console">
# chmod +x /etc/nftables/reload_main.conf
+
$ sudo chmod +x /etc/nftables/reload_main.conf
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
== Test ==
 
== Test ==
 
Test your firewall with the following command<syntaxhighlight lang="console">
 
Test your firewall with the following command<syntaxhighlight lang="console">
# /etc/nftables.conf; sleep 30; nft flush ruleset
+
$ sudo -- sh -c 'nft -f /etc/nftables.conf; sleep 30; nft flush ruleset'
 
</syntaxhighlight>It will activate the firewall and reset it after 30 seconds. It allows you to not lock yourself out of your machine.
 
</syntaxhighlight>It will activate the firewall and reset it after 30 seconds. It allows you to not lock yourself out of your machine.
  
 
== Enable ==
 
== Enable ==
 
{{Warning}}It is recommended that you test your firewall before enabling it at boot time. An incorrectly configured firewall can lock you out of your machine.<syntaxhighlight lang="console">
 
{{Warning}}It is recommended that you test your firewall before enabling it at boot time. An incorrectly configured firewall can lock you out of your machine.<syntaxhighlight lang="console">
# systemctl enable nftables
+
$ sudo systemctl enable nftables
</syntaxhighlight>It the script output <code>update-rc.d: error: nftables Default-Start contains no runlevels, aborting.</code>, don’t worry. The firewall is correctly enabled in systemd. This is bug [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804648 #804648].
+
</syntaxhighlight>
 
[[Category:Debian Release]]
 
[[Category:Debian Release]]
 
[[Category:Linux Desktop]]
 
[[Category:Linux Desktop]]
 
[[Category:Linux Server]]
 
[[Category:Linux Server]]
 +
[[Category:nftables]]

Latest revision as of 06:56, 22 December 2018

nftables is the new firewall of the linux kernel. It has several advantages over the existing {ip, ip6, arp,eb}tables:

Install

$ sudo apt install nftables

You might also want to remove iptables

$ sudo apt purge iptables

Configure

Create main table

Create file /etc/nftables/main_config.conf

# DNS
add element  inet main  udp_port_out { 53 }
add element  inet main  tcp_port_out { 53 }
# Network Time Protocol
add element  inet main  udp_port_out { 123 }
# OpenPGP HTTP Keyserver
add element  inet main  tcp_port_out { 11371 }
# SSH
add element  inet main  tcp_port_in { 2200 }
add element  inet main  tcp_port_out { 2200 }
# Web
add element  inet main  tcp_port_out { 80, 443 }

Create file /etc/nftables/main.conf

#!/usr/sbin/nft -f

add table inet main

#Ports open for any IP address
add set  inet main  tcp_port_out { type inet_service; }
add set  inet main  tcp_port_in { type inet_service; }
add set  inet main  udp_port_out { type inet_service; }
add set  inet main  udp_port_in { type inet_service; }
add set  inet main  user_out { type uid; }
add set  inet main  user_in { type uid; }

include "/etc/nftables/main_config.conf"

# Remove spam in logs. Get your top noise whith
# grep Drop_in /var/log/syslog|sed -r 's/.*?PROTO=([A-Z]+).*?DPT=([0-9]+).*/\1 \2/'|sort|uniq -c|sort -rn
add set  inet main  tcp_scan_ports { type inet_service; }
add set  inet main  udp_scan_ports { type inet_service; }
add element  inet main  tcp_scan_ports {
22, # SSH
23, # Telnet
1433, # MS SQL Login
8080, # HTTP Alternate
50661 # Apple Xsan
}
add element  inet main  udp_scan_ports {
53, # DNS
5060, # SIP
53413 # https://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
}

chain inet main input {
        type filter  hook input  priority 0;

        # accept any localhost traffic
        iif lo  accept

        # accept traffic originated from us
        ct state established,related  accept
        ct state invalid  log prefix "Invalid_in "  drop

        # accept neighbour discovery otherwise IPv6 connectivity breaks.
        ip6 nexthdr icmpv6  icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert }  accept

        # accept ping
        ip protocol icmp  icmp type { echo-request }  accept

        tcp  dport @tcp_port_in  ct state new  accept
        udp  dport @udp_port_in  ct state new  accept
        meta skuid @user_in  ct state new  accept

        tcp dport @tcp_scan_ports drop
        udp dport @udp_scan_ports drop

        # count and drop any other traffic
        counter  log prefix "Drop_in "  drop
}

chain inet main output {
        type filter  hook output  priority 0;

        # accept any localhost traffic
        oif lo  accept

        ct state established,related  accept
        ct state invalid  log prefix "Invalid_out "  drop

        # accept neighbour discovery otherwise IPv6 connectivity breaks.
        ip6 nexthdr icmpv6  icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert }  accept

        # accept ping
        ip protocol icmp  icmp type { echo-request }  accept

        tcp  dport @tcp_port_out  ct state new accept
        udp  dport @udp_port_out  ct state new accept
        meta skuid @user_out  ct state new  accept

        counter  log prefix "Drop_out "  drop
}

Warning Warning: Double check the port for SSH before activating the script.

Activation Scripts

/etc/nftables.conf

Edit file /etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

include "/etc/nftables/main.conf"

This file is executed when you start nftables. You can also manually execute it without issue.

/etc/nftables/reload_main.conf

This script is used to reload only the main table without the others. The point is to integrate with tools like Fail2Ban which are inserting rules in the firewall. By reloading just the main table, you can activate your new rules without impacting Fail2Ban.

Create file /etc/nftables/reload_main.conf

#!/usr/sbin/nft -f

delete table inet main

include "/etc/nftables/main.conf"

and make it executable

$ sudo chmod +x /etc/nftables/reload_main.conf

Test

Test your firewall with the following command

$ sudo -- sh -c 'nft -f /etc/nftables.conf; sleep 30; nft flush ruleset'

It will activate the firewall and reset it after 30 seconds. It allows you to not lock yourself out of your machine.

Enable

Warning Warning: It is recommended that you test your firewall before enabling it at boot time. An incorrectly configured firewall can lock you out of your machine.

$ sudo systemctl enable nftables