Linux Firewalls: The Modern NFTable Firewall

Cybersecurity InfoSec Linux

Welcome back, my aspiring cyberwarriors!

Firewalls play a key role in cybersecurity as they can filter out unwanted and malicious traffic from your network. Although firewalls will not make your network impenetrable, they will make it much more difficult for attackers to find and access your network.

Many companies sell excellent products, some costing tens of thousands of dollars. Some of these vendors include;

Fortinet

Cisco

Palo Alto Networks

Checkpoint Systems

and many more. These are excellent devices but for the small business or home office on a limited budget, you can create a firewall with Linux at little or no additional cost. We have provided you tutorials on using iptables and ufw to create a firewall. In this tutorial we will show you have to create a very effective firewall using a more modern approach, nftables.

Linux has many firewalls that can protect your computer system without costing a lot of money. These firewalls are just as good as commercial and you only need to know a little bit about them to use. Firewalls are important for keeping your computer safe from hackers and other threats.

A firewall is a subsystem on a computer that blocks certain network traffic from going into or out of a computer. Firewalls can be either software or hardware based. Hardware based firewalls generally are used to protect a network and the computers on it, while a software-based firewall protects on the system hosting it.

Nftables is a Linux packet classification framework that replaces the netfilter infrastructure behind iptables, ip6tables, arptables, and ebtables. Frameworks using the legacy netfilter infrastructure are being phased out of the major Linux distributions. These frameworks have begun to adopt nftables as the default packet classification framework.

Despite the ubiquity of iptables, its architecture has several underlying limitations and inefficiencies, and these could only be resolved with a fundamental redesign. That redesign is what nftables set out to accomplish.

Nftables Basics

The structure of nftables is a hierarchical one, consisting of tables, chains, and rules.

Tables

Tables are the highest level of the nftables hierarchy. A given table corresponds to a single address family and contains chains that filter packets in that address family. For example, the ip table filters IPv4 traffic, and the ip6 table filters IPv6 traffic.

Chains

Chains live under tables and filter packets. Chains are containers for rules. You attach each nftables rule to a chain so that packets “caught” in the chain’s filter are subsequently passed to the chain’s rules.

Rules

Rules are the basic building blocks of nftables. Rules receive the packets filtered by chains and take actions on them based on whether they match particular criteria.

Step # 1: Installing Nftables

In Kali Linux, nftables is installed by default, but if for some reason your system doesn’t have nftables installed, or you’re using another distribution, you can download it from the Kali repository.

kali > sudo apt install nftables

Step # 2: Create some rules

Let’s create some rules. Let’s assume that you want to block any packets coming from IP address 192.168.0.103. To create this rule, we simply do the following:

Create the filter table

kali> sudo nft add table ip filter

add table: This command adds a new table to the nftables configuration.

ip: This indicates that the table should be created in the IP family, which is used for filtering IPv4 and IPv6 traffic.

filter: This is the name of the table to be created. The filter table is the default table for filtering traffic, and it is typically used for blocking or allowing specific IP addresses or ports.

Create the input and output chain

kali > sudo nft add chain ip filter input { type filter hook input priority 0\; policy drop\; \}

kali > sudo nft add chain ip filter output { type filter hook output priority 0\; policy drop\; \}

 

add chain: This command instructs nftables to create a new chain within an existing table.

ip filter input/output: This specifies the table and chain to which the new chain will be added. “ip” indicates the IP family, which is used for filtering both IPv4 and IPv6 traffic. “filter” is the name of the table, and input/output is the name of the chain to be created.

type filter: This specifies that the chain’s type is filter,indicating that it will be used for filtering network traffic based on various criteria.

hook input: This defines the hook associated with the chain. The input/output hook indicates that the chain will be applied to incoming/outgoing traffic.

priority 0: Chains with lower priorities are evaluated before those with higher priorities.

policy drop: This defines the default policy for the chain. The “policy drop” statement indicates that any packet that does not match any other rule in the chain will be dropped and discarded.

Add the rule to block the IP address:

kali> sudo nft add rule ip filter input ip saddr 192.168.0.103 drop

add rule: This keyword is used to add a new rule to the nftables firewall.

ip: This keyword specifies that the rule applies to the IP.

filter: This is the name of the table to which the rule will be added

input: This is the name of the chain to which the rule will be added

ip saddr 192.168.0.103: This is the match criteria for the rule. This part of the rule specifies that the rule should match any packet where the source IP address is 192.168.0.103.

drop: This is the verdict for the rule. This part of the rule specifies that any packet that matches the match criteria should be dropped.

We can also do the same for the entire sub-network by using CIDR notation or 192.168.0.0/24

kali> sudo nft add rule ip filter input ip saddr 192.168.0.0/24 drop

If we want to DROP packets destined for a particular port, we can use TCP/UDP “dport” option followed by the port.

kali> sudo nft add rule ip filter input tcp dport 22 drop

If we wanted to accept connections to the website www.amazon.com, we could build a rule that accept outgoing connection (output) to amazon.com (ip daddr 52.94.236.248).

Nftables cannot directly use domain names in its rules.

kali> sudo nft add rule ip filter output ip daddr 52.94.236.248 accept

If we wanted to block access to any other websites, we could create the following two rules:

kali> sudo nft add rule ip filter output tcp dport 80 reject

kali> sudo nft add rule ip filter output tcp dport 443 reject

 

Finally, we can list all our rules:

kali> sudo nft list ruleset

To delete a a table and start over:

kali> sudo nft delete table <table_name>

Deleting a table removes all chains and rules within that table.

Summary:

Nftables is a more powerful and flexible firewall tool than iptables. It is a good choice for Linux practitioner and cybersecurity professional who needs to manage complex network traffic environments.

With a just a bit of knowledge and practice, they can create an effective firewall rivaling the more expensive and complex commercial products costing tens of thousands of dollars.