Firewall migration from iptables to NFT

The nftables framework classifies packets and it is the successor to the iptables, ip6tables, arptables, ebtables, and ipset utilities. It offers numerous improvements in convenience, features, and performance over previous packet-filtering tools, most notably:

• Built-in lookup tables instead of linear processing
• A single framework for both the IPv4 and IPv6 protocols
• All rules applied atomically instead of fetching, updating, and storing a complete rule set
• Support for debugging and tracing in the rule set (nftrace) and monitoring trace events (in the nft tool)
• More consistent and compact syntax, no protocol-specific extensions
• A Netlink API for third-party applications

The nftables framework uses tables to store chains. The chains contain individual rules for performing actions. The nft utility replaces all tools from the previous packet-filtering frameworks. You can use the libnftnl library for low-level interaction with nftables Netlink API through the libmnl library.

Migration Prerequisites:

• The nftables and iptables packages are installed.
• The system has iptables and ip6tables rules configured.

1. Convert iptables and ip6tables rule sets to nftables?

The conversion use the iptables-restore-translate and ip6tables-restore-translate utilities to translate iptables and ip6tables rule sets to nftables.

Procedure

• Write the iptables and ip6tables rules to a file.

# iptables-save > /root/iptables.dump
# ip6tables-save > /root/ip6tables.dump        

• Convert the dump files to nftables instructions.

Note: Below commands will through the error with line number from dump files?if file contains a rule which is syntactically incorrect.

# iptables-restore-translate -f /root/iptables.dump > /etc/nftables/ruleset-migrated-from-iptables.nft

# ip6tables-restore-translate -f /root/ip6tables.dump > /etc/nftables/ruleset-migrated-from-ip6tables.nft        

• Check migrated rules validity without actually applying the changes.

Note: Below command will through error if nft files contains rules which is not in proper format or syntactically incorrect and comment out the rule in the file.

# nft -c -f /etc/nftables/ruleset-migrated-from-iptables.nft

# nft -c -f /etc/nftables/ruleset-migrated-from-ip6tables.nft        

• Apply the rules.

# nft -f /etc/nftables/ruleset-migrated-from-iptables.nft

# nft -f /etc/nftables/ruleset-migrated-from-ip6tables.nft        

• To enable the nftables service to load the generated files, add the following to the /etc/sysconfig/nftables.conf file:

include "/etc/nftables/ruleset-migrated-from-iptables.nft"
include "/etc/nftables/ruleset-migrated-from-ip6tables.nft"        

• Stop and disable the iptables service:

# systemctl disable --now iptables        

• Enable and start the nftables service:

# systemctl enable --now nftables        

Verification

• Display the nftables rule set:

# nft list ruleset        

2. Convert single iptables and ip6tables rules to nftables

The conversion use the iptables-translate and ip6tables-translate utilities to convert an iptables or ip6tables rule into the equivalent one for nftables.

Procedure

• Use the iptables-translate or ip6tables-translate utility instead of iptables or ip6tables to display the corresponding nftables rule, for example:

# iptables-translate -A INPUT -s 192.168.1.10/24 -j ACCEPT
nft add rule ip filter INPUT ip saddr 192.168.1.10/24 counter accept        

Note: Some extensions lack translation support. In these cases, the utility prints the untranslated rule prefixed with the # sign, for example:

# iptables-translate -A INPUT -j CHECKSUM --checksum-fill
nft # -A INPUT -j CHECKSUM --checksum-fill        

3.?Writing and executing nftables scripts

The major benefit of using the nftables framework is that the execution of scripts is atomic. This means that the system either applies the whole script or prevents the execution if an error occurs. This guarantees that the firewall is always in a consistent state.

4.?Supported nftables script format

• Identical format as the nft list ruleset command displays the rule set:

#!/usr/sbin/nft -f

# Flush the rule set
flush ruleset

table inet example_table {
  chain example_chain {
    # Chain for incoming packets that drops all packets that
    # are not explicitly allowed by any rule in this chain
    type filter hook input priority 0; policy drop;

    # Accept connections to port 22 (ssh)
    tcp dport ssh accept
  }
}        

• Identical syntax as for nft commands:

#!/usr/sbin/nft -f

# Flush the rule set
flush ruleset

# Create a table
add table inet example_table

# Create a chain for incoming packets that drops all packets
# that are not explicitly allowed by any rule in this chain
add chain inet example_table example_chain { type filter hook input priority 0 ; policy drop ; }

# Add a rule that accepts connections to port 22 (ssh)
add rule inet example_table example_chain tcp dport ssh accept        

5. ?Running nftables scripts

nft -f /etc/nftables/<example_firewall_script>.nft        

For more details please visit nftables, nftableswiki, nft, firewall .

GitHub Repo https://git.netfilter.org/nftables/

Thanks !