Nftables Cheatsheet
Table of Contents
Getting Started
Installation
On Debian/Ubuntu based systems, you should be able to install nftables by running:
sudo apt update && sudo apt install nftables
Enable And Start Nftables
sudo systemctl enable nftables
sudo systemctl start nftables
Terms
Chain "Priority"
When creating chains, you will need to assign a priority. The priority needs to be 0 or above, and chains with a lower priority get processed first. Thus, you may wish to think of it as "order" rather than "priority".
Import / Export
Import Ruleset
sudo nft --file ruleset.nft
Also, if you want to read from stdin, you can do so like so:
cat ruleset.nft | sudo nft --file -
Export
To export the rules, one can do the following:
sudo nft list ruleset > ruleset.nft
Make Rules Persistent
The rules defined within the configuration file at /etc/nftables.conf are what are used when a server restarts. Thus, we can use the export command and a few manual additions to overwrite this configuration file to make our dynamically added rules permanent like so:
# First set the shebang
echo '#!/usr/sbin/nft -f' > ruleset.nft
# Tell nftables to reset
echo "flush ruleset" >> ruleset.nft
# Add the existing rules after a spacer/newline
echo "" >> ruleset.nft
nft list ruleset >> ruleset.nft
# Overwrite the configuration file with our generated file.
mv ruleset.nft /etc/nftables.conf
List Rules In JSON Format
To list the rules in JSON format, one can do the following:
sudo nft --json list ruleset
-j instead of --json if you wish.
This will output the rules in a compressed JSON format. If you want to be able to easily be able to read/edit the rules, you can use the jq tool like so:
sudo nft --json list ruleset | jq . > ruleset.json
sudo apt install jq -y
Schema
Information about the JSON schema can be found online.
Port iptables to nftables
You can use the following command to install a porting tool
sudo apt install iptables-nftables-compat
Use the following command to create a dump/backup of your existing iptables rules
sudo iptables-save > iptables.dump
Use the porting tool we installed earlier to port the iptables rules over to nftables rules:
sudo iptables-restore-translate -f iptables.dump > ruleset.nft
Use the following command to import the nftables.
sudo nft --file ruleset.nft
--file is just -f.
Table Commands
List Tables
You can use the following command to list your tables:
sudo nft list tables
Add Table
ADDRESS_FAMILY="inet"
TABLE_NAME="my_table"
sudo nft add table $ADDRESS_FAMILY $TABLE_NAME
ADDRESS_FAMILY
Delete Table
ADDRESS_FAMILY="inet"
TABLE_NAME="my_table"
sudo nft delete table $ADDRESS_FAMILY $TABLE_NAME
ADDRESS_FAMILY
Chain Commands
Chains filter packets and live under tables. You attach each rule to a chain so that packets are caught in the chains filter and are subsequently passed to the chain's rules.
Create Base Chain
Base chains act as entry points for packets coming from the network stack.
ADDRESS_FAMILY="inet"
TABLE_NAME="my_table"
CHAIN_NAME="my_chain"
TYPE="filter"
HOOK="input"
PRIORITY=0
sudo nft add chain $ADDRESS_FAMILY $TABLE_NAME $CHAIN_NAME '{type $TYPE hook $HOOK priority $PRIORITY; }'
Create Regular Chain
Regular chains do not act as filters, but can act as jump targets. They can help with controlling the flow and organization of your nftables.
ADDRESS_FAMILY="inet"
TABLE_NAME="my_table"
CHAIN_NAME="my_chain"
sudo nft add chain $ADDRESS_FAMILY $TABLE_NAME $CHAIN_NAME
Nftables Families
Netfilter enables filtering at multiple networking levels. With iptables there is a separate tool for each level: iptables, ip6tables, arptables, ebtables. With nftables the multiple networking levels are abstracted into families, all of which are served by the single tool nft. The following are descriptions of current nftables families, but additional families may be added in the future.
ip- Tables of this family see IPv4 traffic/packets. The iptables tool is the legacy x_tables equivalent.
ip6- Tables of this family see IPv6 traffic/packets. The ip6tables tool is the legacy x_tables equivalent.
inet- Tables of this family see both IPv4 and IPv6 traffic/packets, simplifying dual stack support.
arp- Tables of this family see ARP-level (i.e, L2) traffic, before any L3 handling is done by the kernel. The arptables tool is the legacy x_tables equivalent.
bridge- Tables of this family see traffic/packets traversing bridges (i.e. switching). No assumptions are made about L3 protocols.
netdev- The netdev family is different from the others in that it is used to create base chains attached to a single network interface. Such base chains see all network traffic on the specified interface, with no assumptions about L2 or L3 protocols. Therefore you can filter ARP traffic from here. There is no legacy x_tables equivalent to the netdev family.
Nftables and Docker
Docker manipulates iptables for the networking to "magically" work. It is currently configured to only work with iptables and not nftables. However you may be able to work around this. Please refer to the following resources:
- Unix & Linux - nftables whitelisting docker
- GitHub Gist - Not happy with Docker modifying your precious firewall rules?
- GitHub alexandre-khoury/blog - How to manage Docker's firewall manually with nftables
As others have pointed out, it is probably easiest to leave nftables out of the server running docker, and have an external firewall service that you use to manage the traffic going into and out of your server.
References
- Linode - Get Started with nftables
- Nftables wiki
- Nftables man page
- Linux Audit - Exporting nftables rules and configuration
First published: 20th April 2022