nftables on Debian Stretch.

Hi all.
Iptables is over, time for nftables.
I lost too many hours traying implement nftables on Stretch.
Not intended for servers, with rules to be loaded at boot, before network card starts.
For iptables there is a fantastic TUTORIAL done by "amarildojr" https://www.wilderssecurity.com/threads/tutorial-expert-linux-firewalling.376935/
Could anybody do the some for nftables?
With other words, how to translate this script on to nftables:

Code:

# Drop everything
iptables -P OUTPUT  DROP
iptables -P INPUT   DROP
iptables -P FORWARD DROP

# Drop everything IPv6
ip6tables -P OUTPUT  DROP
ip6tables -P INPUT   DROP
ip6tables -P FORWARD DROP

# drop TCP sessions opened prior firewall restart
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A OUTPUT  -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP

# drop packets that do not match any valid state and log them
iptables -N drop_invalid
iptables -A OUTPUT   -m state --state INVALID  -j drop_invalid
iptables -A INPUT    -m state --state INVALID  -j drop_invalid
iptables -A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j drop_invalid
iptables -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY "
iptables -A drop_invalid -j DROP

# anti-spoof
iptables -N In_RULE_0
iptables -A INPUT -i enp3s0   -s amarildo   -j In_RULE_0
iptables -A In_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0 -- DENY "
iptables -A In_RULE_0  -j DROP

# ICMP Block - Log
iptables -N In_RULE_1
iptables -A INPUT -p icmp  -m icmp  --icmp-type any  -j In_RULE_1
iptables -A In_RULE_1  -j LOG  --log-level info --log-prefix "RULE 1 -- DENY "
iptables -A In_RULE_1  -j DROP

# Whois - Block - Log
iptables -N In_RULE_2
iptables -A INPUT -p tcp -m tcp  --dport 43  -j In_RULE_2
iptables -A In_RULE_2  -j LOG  --log-level info --log-prefix "RULE 2 -- DENY "
iptables -A In_RULE_2  -j DROP

# xmas-scan - Block - Log
iptables -N In_RULE_3
iptables -A INPUT -p tcp -m tcp   --tcp-flags ALL URG,PSH,FIN  -j In_RULE_3
iptables -A In_RULE_3  -j LOG  --log-level info --log-prefix "RULE 3 -- DENY "
iptables -A In_RULE_3  -j DROP

# xmas-scan-full - Block - Log
iptables -N In_RULE_4
iptables -A INPUT -p tcp -m tcp   --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN  -j In_RULE_4
iptables -A In_RULE_4  -j LOG  --log-level info --log-prefix "RULE 4 -- DENY "
iptables -A In_RULE_4  -j DROP

# IP fragments - BLock - Log
iptables -N In_RULE_5
iptables -A INPUT -p all  -f   -j In_RULE_5
iptables -A In_RULE_5  -j LOG  --log-level info --log-prefix "RULE 5 -- DENY "
iptables -A In_RULE_5  -j DROP

# who - Block - Log
iptables -N In_RULE_6
iptables -A INPUT -p udp -m udp  --dport 513  -j In_RULE_6
iptables -A In_RULE_6  -j LOG  --log-level info --log-prefix "RULE 6 -- DENY "
iptables -A In_RULE_6  -j DROP

# traceroute - Block - Log
iptables -N In_RULE_7
iptables -A INPUT -p udp -m udp  --dport 33434:33524  -j In_RULE_7
iptables -A In_RULE_7  -j LOG  --log-level info --log-prefix "RULE 7 -- DENY "
iptables -A In_RULE_7  -j DROP

# ESTABLISHED,RELATED
iptables -A INPUT  -m state --state ESTABLISHED,RELATED  -j ACCEPT

# allow all on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#(INVALID OUT)
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP

# ESTABLISHED,RELATED (OUT)
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED  -j ACCEPT

# DNS
iptables -A OUTPUT -p udp -m udp  --dport 53  -m state --state NEW  -j ACCEPT

# FTP
iptables -A OUTPUT -p tcp -m tcp  --dport 21  -m state --state NEW  -j ACCEPT

# SMTP
iptables -A OUTPUT -p tcp -m tcp  --dport 25  -m state --state NEW  -j ACCEPT

# http
iptables -A OUTPUT -p tcp -m tcp  --dport 80  -m state --state NEW  -j ACCEPT

# POP3
iptables -A OUTPUT -p tcp -m tcp  --dport 110  -m state --state NEW  -j ACCEPT

# IMAP
iptables -A OUTPUT -p tcp -m tcp  --dport 143  -m state --state NEW  -j ACCEPT

# https
iptables -A OUTPUT -p tcp -m tcp  --dport 443  -m state --state NEW  -j ACCEPT

# SMTPS
iptables -A OUTPUT -p tcp -m tcp  --dport 465  -m state --state NEW  -j ACCEPT

# KMail
iptables -A OUTPUT -p tcp -m tcp  --dport 993  -m state --state NEW  -j ACCEPT

# OpenVPN
iptables -A OUTPUT -p udp -m udp  --dport 1194  -m state --state NEW  -j ACCEPT

# KTorrent
iptables -A OUTPUT -p tcp -m tcp  --dport 6881  -m state --state NEW  -j ACCEPT
iptables -A OUTPUT -p udp -m udp  --dport 6881  -m state --state NEW  -j ACCEPT
iptables -A OUTPUT -p udp -m udp  --dport 8881  -m state --state NEW  -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp  --dport 8881  -m state --state NEW  -j ACCEPT
iptables -A OUTPUT -p udp -m udp  --dport 7881  -m state --state NEW  -j ACCEPT

# TerraSync
iptables -A OUTPUT -p tcp -m tcp  --dport 8888  -m state --state NEW  -j ACCEPT

# Git
iptables -A OUTPUT -p tcp -m tcp  --dport 9418  -m state --state NEW  -j ACCEPT

# Steam
iptables -A OUTPUT -p udp -m multiport --dports 27000:27015 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dports 27015:27030 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 27014:27050 -j ACCEPT
iptables -A OUTPUT -p udp --dport 1200 -j ACCEPT
iptables -A OUTPUT -p udp --dport 3478 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4379 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4380 -j ACCEPT

# SVN
iptables -A OUTPUT -p tcp -m tcp  --dport 3690  -m state --state NEW  -j ACCEPT

# DHCP Client
iptables -A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT

# ALL UDP
iptables -N RULE_21
iptables -A OUTPUT -p udp -m udp  -j RULE_21
iptables -A INPUT -p udp -m udp  -j RULE_21
iptables -A RULE_21  -j LOG  --log-level info --log-prefix "RULE 21 -- DENY "
iptables -A RULE_21  -j DROP

# ALL TCP
iptables -N RULE_22
iptables -A OUTPUT -p tcp -m tcp  -j RULE_22
iptables -A INPUT -p tcp -m tcp  -j RULE_22
iptables -A RULE_22  -j LOG  --log-level info --log-prefix "RULE 22 -- DENY "
iptables -A RULE_22  -j DROP

# All other attempts are denied and logged
iptables -N RULE_23
iptables -A OUTPUT  -d amarildo   -j RULE_23
iptables -A INPUT  -j RULE_23
iptables -A RULE_23  -j LOG  --log-level info --log-prefix "RULE 23 -- DENY "
iptables -A RULE_23  -j DROP

I would appreciate any help.
Regards.
Mark.

 

Hello,

Unfortunately the task of translating every rule from iptables to nftalbes is pretty tough, considering the size of the ruleset I've created. And while I don't have the time to do it anymore, I'd suggest taking a look in this Wiki page, it's certainly a good start.

Regards,
Amarildo

 

Hi all.


Iptables is over, time for UFW, or GUFW.

https://doc.ubuntu-fr.org/ufw

https://doc.ubuntu-fr.org/gufw

 

Not really. ufw is actually a frontend for iptables, and GUFW is a GUI for ufw.

 

@MarkKx , @amarildojr

There is an easy way to translate most of your rules.
Translate your iptables rules from a web app

Panagiotis

 

https://doc.ubuntu-fr.org/ufw

" UFW est un nouvel outil de configuration simplifié en ligne de commande de Netfilter, "


You dont speak french ?.... the firewall is Netfilter, the frontend UFW, and GUFW the GUI of UFW, Iptables ?...outdated, obsolete.

 

My French is a bit dusty

The English Ubuntu wiki site says:

The manpage says:

And I say :
iptables is a userspace program to configure the tables (which contain chains and rules) provided by the firewall in the Linux kernel which in turn consists of various netfilter modules. And ufw is the frontend for iptables - in the end it's used to manage a netfilter firewall. But this doesn't mean that iptables is outdated.

 

pandlouk, thanks for providing a link to the converter.

Yes, the ufw package description is confusing / misleading.
You can see that ufw does (still) depend on "iptables" package, and does not depend on the separately packaged "nftables".
https://packages.ubuntu.com/zesty/ufw
https://packages.debian.org/sid/ufw

 

@pandlouk
Mechanically translated:

Code:

# Drop everything
# iptables-translate  -P OUTPUT  DROP Translation not implemented
# iptables-translate  -P INPUT   DROP Translation not implemented
# iptables-translate  -P FORWARD DROP Translation not implemented
# Drop everything Ipv6

# iptables-translate  -P OUTPUT  DROP Translation not implemented
# iptables-translate  -P INPUT   DROP Translation not implemented
# iptables-translate  -P FORWARD DROP Translation not implemented

# drop TCP sessions opened prior firewall restart
nft add rule ip filter INPUT tcp flags & (syn|rst|ack) != syn ct state new  counter drop
nft add rule ip filter OUTPUT tcp flags & (syn|rst|ack) != syn ct state new  counter drop

# drop packets that do not match any valid state and log them
nft add chain ip filter drop_invalid

nft add rule ip filter OUTPUT ct state invalid counter jump drop_invalid

nft add rule ip filter INPUT ct state invalid counter jump drop_invalid

nft add rule ip filter INPUT tcp sport 1-65535 tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter jump drop_invalid

nft add rule ip filter drop_invalid counter log prefix \"INVALID state -- DENY \" level debug

nft add rule ip filter drop_invalid counter drop



# anti-spoof
nft add chain ip filter In_RULE_0
# iptables-translate  -A INPUT -i enp3s0   -s amarildo   -j In_RULE_0 iptables-translate v1.6.1: host/network `amarildo' not found 
nft add rule ip filter In_RULE_0 counter log prefix \"RULE 0 -- DENY \" level info
nft add rule ip filter In_RULE_0 counter drop




# ICMP Block - Log
nft add chain ip filter In_RULE_1

nft add rule ip filter INPUT counter jump In_RULE_1

nft add rule ip filter In_RULE_1 counter log prefix \"RULE 1 -- DENY \" level info

nft add rule ip filter In_RULE_1 counter drop



# Whois - Block - Log
nft add chain ip filter In_RULE_2

nft add rule ip filter INPUT tcp dport 43 counter jump In_RULE_2

nft add rule ip filter In_RULE_2 counter log prefix \"RULE 2 -- DENY \" level info

nft add rule ip filter In_RULE_2 counter drop




# xmas-scan - Block - Log
nft add chain ip filter In_RULE_3

nft add rule ip filter INPUT tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter jump In_RULE_3

nft add rule ip filter In_RULE_3 counter log prefix \"RULE 3 -- DENY \" level info

nft add rule ip filter In_RULE_3 counter drop





# xmas-scan-full - Block - Log
nft add chain ip filter In_RULE_4

nft add rule ip filter INPUT tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter jump In_RULE_4

nft add rule ip filter In_RULE_4 counter log prefix \"RULE 4 -- DENY \" level info

nft add rule ip filter In_RULE_4 counter drop



# IP fragments - BLock - Log
nft add chain ip filter In_RULE_5

nft add rule ip filter INPUT ip frag-off != 0 counter jump In_RULE_5

nft add rule ip filter In_RULE_5 counter log prefix \"RULE 5 -- DENY \" level info

nft add rule ip filter In_RULE_5 counter drop



# who - Block - Log
nft add chain ip filter In_RULE_6

nft add rule ip filter INPUT udp dport 513 counter jump In_RULE_6

nft add rule ip filter In_RULE_6 counter log prefix \"RULE 6 -- DENY \" level info

nft add rule ip filter In_RULE_6 counter drop



# traceroute - Block - Log
nft add chain ip filter In_RULE_7

nft add rule ip filter INPUT udp dport 33434-33524 counter jump In_RULE_7

nft add rule ip filter In_RULE_7 counter log prefix \"RULE 7 -- DENY \" level info

nft add rule ip filter In_RULE_7 counter drop



# ESTABLISHED,RELATED
nft add rule ip filter INPUT ct state related,established counter accept



# allow all on loopback
nft add rule ip filter INPUT iifname lo counter accept

nft add rule ip filter OUTPUT oifname lo counter accept



#(INVALID OUT)
nft add rule ip filter OUTPUT tcp flags & (syn|rst|ack) != syn ct state new counter drop



# ESTABLISHED,RELATED (OUT)
nft add rule ip filter OUTPUT ct state related,established counter accept



# DNS
nft add rule ip filter OUTPUT udp dport 53 ct state new counter accept



# FTP
nft add rule ip filter OUTPUT tcp dport 21 ct state new  counter accept


# SMTP
nft add rule ip filter OUTPUT tcp dport 25 ct state new  counter accept


# http
nft add rule ip filter OUTPUT tcp dport 80 ct state new  counter accept


# POP3
nft add rule ip filter OUTPUT tcp dport 110 ct state new  counter accept


# IMAP
nft add rule ip filter OUTPUT tcp dport 143 ct state new  counter accept
# https
nft add rule ip filter OUTPUT tcp dport 443 ct state new  counter accept



# SMTPS
nft add rule ip filter OUTPUT tcp dport 465 ct state new  counter accept


# KMail
nft add rule ip filter OUTPUT tcp dport 993 ct state new  counter accept


# OpenVPN
nft add rule ip filter OUTPUT udp dport 1194 ct state new  counter accept


# KTorrent
nft add rule ip filter OUTPUT tcp dport 6881 ct state new counter accept

nft add rule ip filter OUTPUT udp dport 6881 ct state new counter accept

nft add rule ip filter OUTPUT udp dport 8881 ct state new counter accept

nft add rule ip filter OUTPUT tcp dport 8881 ct state new counter accept

nft add rule ip filter OUTPUT udp dport 7881 ct state new counter accept






# TerraSync
nft add rule ip filter OUTPUT tcp dport 8888 ct state new  counter accept


# Git
nft add rule ip filter OUTPUT tcp dport 9418 ct state new counter accept



# Steam
nft add rule ip filter OUTPUT ip protocol udp udp dport 27000-27015 counter accept

nft add rule ip filter OUTPUT ip protocol udp udp dport 27015-27030 counter accept

nft add rule ip filter OUTPUT ip protocol tcp tcp dport 27014-27050 counter accept

nft add rule ip filter OUTPUT udp dport 1200 counter accept

nft add rule ip filter OUTPUT udp dport 3478 counter accept

nft add rule ip filter OUTPUT udp dport 4379 counter accept

nft add rule ip filter OUTPUT udp dport 4380 counter accept



# SVN
nft add rule ip filter OUTPUT tcp dport 3690 ct state new  counter accept



# DHCP Client
nft add rule ip filter OUTPUT udp sport 67 udp dport 68 counter accept



# ALL UDP
nft add chain ip filter RULE_21

nft add rule ip filter OUTPUT counter jump RULE_21

nft add rule ip filter INPUT counter jump RULE_21

nft add rule ip filter RULE_21 counter log prefix \"RULE 21 -- DENY \" level info

nft add rule ip filter RULE_21 counter drop




# ALL TCP
nft add chain ip filter RULE_22
nft add rule ip filter OUTPUT  counter jump RULE_22
nft add rule ip filter INPUT  counter jump RULE_22
nft add rule ip filter RULE_22 counter log prefix \"RULE 22 -- DENY \" level info
nft add rule ip filter RULE_22 counter drop




# All other attempts are denied and logged
nft add chain ip filter RULE_23

# iptables-translate -A OUTPUT -d amarildo -j RULE_23 iptables-translate v1.6.1: host/network `amarildo' not found

nft add rule ip filter INPUT counter jump RULE_23

nft add rule ip filter RULE_23 counter log prefix \"RULE 23 -- DENY \" level info

nft add rule ip filter RULE_23 counter drop

Now only adapt and check if it works.

 

@inka You are welcome.
@MarkKx Check the rules
# iptables-translate -A INPUT -i enp3s0 -s amarildo -j In_RULE_0 iptables-translate v1.6.1: host/network `amarildo' not found
# iptables-translate -A OUTPUT -d amarildo -j RULE_23 iptables-translate v1.6.1: host/network `amarildo' not found

They are disabled and you must manully edit/configure them.

Panagiotis

 

When I wrote:

I was thinking to use instead:

Code:

amarildo

use

Code:

your_hostname

Howto solve this problem?

Code:

# Drop everything
# iptables-translate  -P OUTPUT  DROP Translation not implemented
# iptables-translate  -P INPUT   DROP Translation not implemented
# iptables-translate  -P FORWARD DROP Translation not implemented

# Drop everything Ipv6
# iptables-translate  -P OUTPUT  DROP Translation not implemented
# iptables-translate  -P INPUT   DROP Translation not implemented
# iptables-translate  -P FORWARD DROP Translation not implemented

Any ideas?

 

You must create a chain policy to drop the packets.
You can find some examples here
https://wiki.gentoo.org/wiki/Nftables/Examples#Typical_workstation_.28separate_IPv4_and_IPv6.29
https://developers.redhat.com/blog/...er-iptables-its-successor-of-course-nftables/
http://www.tldp.org/HOWTO/Linux IPv6-HOWTO/ch18s05.html

maybe you can use the commands
# nft chain inet filter output { policy drop \; }
# nft chain inet filter input { policy drop \; }


Panagiotis

 

Really interesting and very useful. Thanks!

Exactly.

You're absolutely correct.

Yes. Not only "amarildo" is the name of my host, but enp3s0 is my network adapter. OP should adapt them accordingly.

 

We usually started iptables roules configuration script with:

- Complete flush:

Code:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

- Default policy:

Code:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

What is the equivalent in nftables for both?

What I need, is default policy in INPUT and OUTPUT chain set up on DROP.
When " the wall " is ready, I have to make openings in it.

 

I don't mean to bump this, but it's still relevant since nftables is new and has limited information. I'm going to convert from iptables to nftables. Also, flushing iptables isn't good practice. Should just iptables-restore < /etc/iptables/empty.rules and begin from there with atomic.