Hi all. Iptables is over, time for nftables. I lost too many hours traying implement nftables on Stretch. Not intended for servers, with rules to be loaded at boot, before network card starts. For iptables there is a fantastic TUTORIAL done by "amarildojr" https://www.wilderssecurity.com/threads/tutorial-expert-linux-firewalling.376935/ Could anybody do the some for nftables? With other words, how to translate this script on to nftables: Code: # Drop everything iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP # Drop everything IPv6 ip6tables -P OUTPUT DROP ip6tables -P INPUT DROP ip6tables -P FORWARD DROP # drop TCP sessions opened prior firewall restart iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # drop packets that do not match any valid state and log them iptables -N drop_invalid iptables -A OUTPUT -m state --state INVALID -j drop_invalid iptables -A INPUT -m state --state INVALID -j drop_invalid iptables -A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j drop_invalid iptables -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY " iptables -A drop_invalid -j DROP # anti-spoof iptables -N In_RULE_0 iptables -A INPUT -i enp3s0 -s amarildo -j In_RULE_0 iptables -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " iptables -A In_RULE_0 -j DROP # ICMP Block - Log iptables -N In_RULE_1 iptables -A INPUT -p icmp -m icmp --icmp-type any -j In_RULE_1 iptables -A In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY " iptables -A In_RULE_1 -j DROP # Whois - Block - Log iptables -N In_RULE_2 iptables -A INPUT -p tcp -m tcp --dport 43 -j In_RULE_2 iptables -A In_RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " iptables -A In_RULE_2 -j DROP # xmas-scan - Block - Log iptables -N In_RULE_3 iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,PSH,FIN -j In_RULE_3 iptables -A In_RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY " iptables -A In_RULE_3 -j DROP # xmas-scan-full - Block - Log iptables -N In_RULE_4 iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j In_RULE_4 iptables -A In_RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY " iptables -A In_RULE_4 -j DROP # IP fragments - BLock - Log iptables -N In_RULE_5 iptables -A INPUT -p all -f -j In_RULE_5 iptables -A In_RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY " iptables -A In_RULE_5 -j DROP # who - Block - Log iptables -N In_RULE_6 iptables -A INPUT -p udp -m udp --dport 513 -j In_RULE_6 iptables -A In_RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " iptables -A In_RULE_6 -j DROP # traceroute - Block - Log iptables -N In_RULE_7 iptables -A INPUT -p udp -m udp --dport 33434:33524 -j In_RULE_7 iptables -A In_RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY " iptables -A In_RULE_7 -j DROP # ESTABLISHED,RELATED iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow all on loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #(INVALID OUT) iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP # ESTABLISHED,RELATED (OUT) iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # DNS iptables -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT # FTP iptables -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT # SMTP iptables -A OUTPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT # http iptables -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT # POP3 iptables -A OUTPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT # IMAP iptables -A OUTPUT -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT # https iptables -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT # SMTPS iptables -A OUTPUT -p tcp -m tcp --dport 465 -m state --state NEW -j ACCEPT # KMail iptables -A OUTPUT -p tcp -m tcp --dport 993 -m state --state NEW -j ACCEPT # OpenVPN iptables -A OUTPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT # KTorrent iptables -A OUTPUT -p tcp -m tcp --dport 6881 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 6881 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 8881 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 8881 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 7881 -m state --state NEW -j ACCEPT # TerraSync iptables -A OUTPUT -p tcp -m tcp --dport 8888 -m state --state NEW -j ACCEPT # Git iptables -A OUTPUT -p tcp -m tcp --dport 9418 -m state --state NEW -j ACCEPT # Steam iptables -A OUTPUT -p udp -m multiport --dports 27000:27015 -j ACCEPT iptables -A OUTPUT -p udp -m multiport --dports 27015:27030 -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dports 27014:27050 -j ACCEPT iptables -A OUTPUT -p udp --dport 1200 -j ACCEPT iptables -A OUTPUT -p udp --dport 3478 -j ACCEPT iptables -A OUTPUT -p udp --dport 4379 -j ACCEPT iptables -A OUTPUT -p udp --dport 4380 -j ACCEPT # SVN iptables -A OUTPUT -p tcp -m tcp --dport 3690 -m state --state NEW -j ACCEPT # DHCP Client iptables -A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT # ALL UDP iptables -N RULE_21 iptables -A OUTPUT -p udp -m udp -j RULE_21 iptables -A INPUT -p udp -m udp -j RULE_21 iptables -A RULE_21 -j LOG --log-level info --log-prefix "RULE 21 -- DENY " iptables -A RULE_21 -j DROP # ALL TCP iptables -N RULE_22 iptables -A OUTPUT -p tcp -m tcp -j RULE_22 iptables -A INPUT -p tcp -m tcp -j RULE_22 iptables -A RULE_22 -j LOG --log-level info --log-prefix "RULE 22 -- DENY " iptables -A RULE_22 -j DROP # All other attempts are denied and logged iptables -N RULE_23 iptables -A OUTPUT -d amarildo -j RULE_23 iptables -A INPUT -j RULE_23 iptables -A RULE_23 -j LOG --log-level info --log-prefix "RULE 23 -- DENY " iptables -A RULE_23 -j DROP I would appreciate any help. Regards. Mark.
Hello, Unfortunately the task of translating every rule from iptables to nftalbes is pretty tough, considering the size of the ruleset I've created. And while I don't have the time to do it anymore, I'd suggest taking a look in this Wiki page, it's certainly a good start. Regards, Amarildo
Hi all. Iptables is over, time for UFW, or GUFW. https://doc.ubuntu-fr.org/ufw https://doc.ubuntu-fr.org/gufw
@MarkKx , @amarildojr There is an easy way to translate most of your rules. Translate your iptables rules from a web app Panagiotis
https://doc.ubuntu-fr.org/ufw " UFW est un nouvel outil de configuration simplifié en ligne de commande de Netfilter, " You dont speak french ?.... the firewall is Netfilter, the frontend UFW, and GUFW the GUI of UFW, Iptables ?...outdated, obsolete.
My French is a bit dusty The English Ubuntu wiki site says: The manpage says: And I say : iptables is a userspace program to configure the tables (which contain chains and rules) provided by the firewall in the Linux kernel which in turn consists of various netfilter modules. And ufw is the frontend for iptables - in the end it's used to manage a netfilter firewall. But this doesn't mean that iptables is outdated.
pandlouk, thanks for providing a link to the converter. Yes, the ufw package description is confusing / misleading. You can see that ufw does (still) depend on "iptables" package, and does not depend on the separately packaged "nftables". https://packages.ubuntu.com/zesty/ufw https://packages.debian.org/sid/ufw
@pandlouk Mechanically translated: Code: # Drop everything # iptables-translate -P OUTPUT DROP Translation not implemented # iptables-translate -P INPUT DROP Translation not implemented # iptables-translate -P FORWARD DROP Translation not implemented # Drop everything Ipv6 # iptables-translate -P OUTPUT DROP Translation not implemented # iptables-translate -P INPUT DROP Translation not implemented # iptables-translate -P FORWARD DROP Translation not implemented # drop TCP sessions opened prior firewall restart nft add rule ip filter INPUT tcp flags & (syn|rst|ack) != syn ct state new counter drop nft add rule ip filter OUTPUT tcp flags & (syn|rst|ack) != syn ct state new counter drop # drop packets that do not match any valid state and log them nft add chain ip filter drop_invalid nft add rule ip filter OUTPUT ct state invalid counter jump drop_invalid nft add rule ip filter INPUT ct state invalid counter jump drop_invalid nft add rule ip filter INPUT tcp sport 1-65535 tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter jump drop_invalid nft add rule ip filter drop_invalid counter log prefix \"INVALID state -- DENY \" level debug nft add rule ip filter drop_invalid counter drop # anti-spoof nft add chain ip filter In_RULE_0 # iptables-translate -A INPUT -i enp3s0 -s amarildo -j In_RULE_0 iptables-translate v1.6.1: host/network `amarildo' not found nft add rule ip filter In_RULE_0 counter log prefix \"RULE 0 -- DENY \" level info nft add rule ip filter In_RULE_0 counter drop # ICMP Block - Log nft add chain ip filter In_RULE_1 nft add rule ip filter INPUT counter jump In_RULE_1 nft add rule ip filter In_RULE_1 counter log prefix \"RULE 1 -- DENY \" level info nft add rule ip filter In_RULE_1 counter drop # Whois - Block - Log nft add chain ip filter In_RULE_2 nft add rule ip filter INPUT tcp dport 43 counter jump In_RULE_2 nft add rule ip filter In_RULE_2 counter log prefix \"RULE 2 -- DENY \" level info nft add rule ip filter In_RULE_2 counter drop # xmas-scan - Block - Log nft add chain ip filter In_RULE_3 nft add rule ip filter INPUT tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter jump In_RULE_3 nft add rule ip filter In_RULE_3 counter log prefix \"RULE 3 -- DENY \" level info nft add rule ip filter In_RULE_3 counter drop # xmas-scan-full - Block - Log nft add chain ip filter In_RULE_4 nft add rule ip filter INPUT tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter jump In_RULE_4 nft add rule ip filter In_RULE_4 counter log prefix \"RULE 4 -- DENY \" level info nft add rule ip filter In_RULE_4 counter drop # IP fragments - BLock - Log nft add chain ip filter In_RULE_5 nft add rule ip filter INPUT ip frag-off != 0 counter jump In_RULE_5 nft add rule ip filter In_RULE_5 counter log prefix \"RULE 5 -- DENY \" level info nft add rule ip filter In_RULE_5 counter drop # who - Block - Log nft add chain ip filter In_RULE_6 nft add rule ip filter INPUT udp dport 513 counter jump In_RULE_6 nft add rule ip filter In_RULE_6 counter log prefix \"RULE 6 -- DENY \" level info nft add rule ip filter In_RULE_6 counter drop # traceroute - Block - Log nft add chain ip filter In_RULE_7 nft add rule ip filter INPUT udp dport 33434-33524 counter jump In_RULE_7 nft add rule ip filter In_RULE_7 counter log prefix \"RULE 7 -- DENY \" level info nft add rule ip filter In_RULE_7 counter drop # ESTABLISHED,RELATED nft add rule ip filter INPUT ct state related,established counter accept # allow all on loopback nft add rule ip filter INPUT iifname lo counter accept nft add rule ip filter OUTPUT oifname lo counter accept #(INVALID OUT) nft add rule ip filter OUTPUT tcp flags & (syn|rst|ack) != syn ct state new counter drop # ESTABLISHED,RELATED (OUT) nft add rule ip filter OUTPUT ct state related,established counter accept # DNS nft add rule ip filter OUTPUT udp dport 53 ct state new counter accept # FTP nft add rule ip filter OUTPUT tcp dport 21 ct state new counter accept # SMTP nft add rule ip filter OUTPUT tcp dport 25 ct state new counter accept # http nft add rule ip filter OUTPUT tcp dport 80 ct state new counter accept # POP3 nft add rule ip filter OUTPUT tcp dport 110 ct state new counter accept # IMAP nft add rule ip filter OUTPUT tcp dport 143 ct state new counter accept # https nft add rule ip filter OUTPUT tcp dport 443 ct state new counter accept # SMTPS nft add rule ip filter OUTPUT tcp dport 465 ct state new counter accept # KMail nft add rule ip filter OUTPUT tcp dport 993 ct state new counter accept # OpenVPN nft add rule ip filter OUTPUT udp dport 1194 ct state new counter accept # KTorrent nft add rule ip filter OUTPUT tcp dport 6881 ct state new counter accept nft add rule ip filter OUTPUT udp dport 6881 ct state new counter accept nft add rule ip filter OUTPUT udp dport 8881 ct state new counter accept nft add rule ip filter OUTPUT tcp dport 8881 ct state new counter accept nft add rule ip filter OUTPUT udp dport 7881 ct state new counter accept # TerraSync nft add rule ip filter OUTPUT tcp dport 8888 ct state new counter accept # Git nft add rule ip filter OUTPUT tcp dport 9418 ct state new counter accept # Steam nft add rule ip filter OUTPUT ip protocol udp udp dport 27000-27015 counter accept nft add rule ip filter OUTPUT ip protocol udp udp dport 27015-27030 counter accept nft add rule ip filter OUTPUT ip protocol tcp tcp dport 27014-27050 counter accept nft add rule ip filter OUTPUT udp dport 1200 counter accept nft add rule ip filter OUTPUT udp dport 3478 counter accept nft add rule ip filter OUTPUT udp dport 4379 counter accept nft add rule ip filter OUTPUT udp dport 4380 counter accept # SVN nft add rule ip filter OUTPUT tcp dport 3690 ct state new counter accept # DHCP Client nft add rule ip filter OUTPUT udp sport 67 udp dport 68 counter accept # ALL UDP nft add chain ip filter RULE_21 nft add rule ip filter OUTPUT counter jump RULE_21 nft add rule ip filter INPUT counter jump RULE_21 nft add rule ip filter RULE_21 counter log prefix \"RULE 21 -- DENY \" level info nft add rule ip filter RULE_21 counter drop # ALL TCP nft add chain ip filter RULE_22 nft add rule ip filter OUTPUT counter jump RULE_22 nft add rule ip filter INPUT counter jump RULE_22 nft add rule ip filter RULE_22 counter log prefix \"RULE 22 -- DENY \" level info nft add rule ip filter RULE_22 counter drop # All other attempts are denied and logged nft add chain ip filter RULE_23 # iptables-translate -A OUTPUT -d amarildo -j RULE_23 iptables-translate v1.6.1: host/network `amarildo' not found nft add rule ip filter INPUT counter jump RULE_23 nft add rule ip filter RULE_23 counter log prefix \"RULE 23 -- DENY \" level info nft add rule ip filter RULE_23 counter drop Now only adapt and check if it works.
@inka You are welcome. @MarkKx Check the rules # iptables-translate -A INPUT -i enp3s0 -s amarildo -j In_RULE_0 iptables-translate v1.6.1: host/network `amarildo' not found # iptables-translate -A OUTPUT -d amarildo -j RULE_23 iptables-translate v1.6.1: host/network `amarildo' not found They are disabled and you must manully edit/configure them. Panagiotis
When I wrote: I was thinking to use instead: Code: amarildo use Code: your_hostname Howto solve this problem? Code: # Drop everything # iptables-translate -P OUTPUT DROP Translation not implemented # iptables-translate -P INPUT DROP Translation not implemented # iptables-translate -P FORWARD DROP Translation not implemented # Drop everything Ipv6 # iptables-translate -P OUTPUT DROP Translation not implemented # iptables-translate -P INPUT DROP Translation not implemented # iptables-translate -P FORWARD DROP Translation not implemented Any ideas?
You must create a chain policy to drop the packets. You can find some examples here https://wiki.gentoo.org/wiki/Nftables/Examples#Typical_workstation_.28separate_IPv4_and_IPv6.29 https://developers.redhat.com/blog/...er-iptables-its-successor-of-course-nftables/ http://www.tldp.org/HOWTO/Linux IPv6-HOWTO/ch18s05.html maybe you can use the commands # nft chain inet filter output { policy drop \; } # nft chain inet filter input { policy drop \; } Panagiotis
Really interesting and very useful. Thanks! Exactly. You're absolutely correct. Yes. Not only "amarildo" is the name of my host, but enp3s0 is my network adapter. OP should adapt them accordingly.
We usually started iptables roules configuration script with: - Complete flush: Code: iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT - Default policy: Code: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP What is the equivalent in nftables for both? What I need, is default policy in INPUT and OUTPUT chain set up on DROP. When " the wall " is ready, I have to make openings in it.
I don't mean to bump this, but it's still relevant since nftables is new and has limited information. I'm going to convert from iptables to nftables. Also, flushing iptables isn't good practice. Should just iptables-restore < /etc/iptables/empty.rules and begin from there with atomic.