nftables - I'm a bit late to the party. Lots of questions.

Questions about Wi-Fi and other network devices, file sharing, firewalls, connection sharing etc
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
Armstrong
Level 4
Level 4
Posts: 243
Joined: Tue Sep 11, 2012 12:57 pm

nftables - I'm a bit late to the party. Lots of questions.

Post by Armstrong »

I tried doing searches to find answers, but what I found only confused me further. I suspect that the answers I need are simple, so...

I have always had Gufw and iptables installed. I have now installed and enabled nftables. So, does Gufw configure nftables? My requirements are quite simple. I have Gufw configured as "Home", "On" (or, now, a simple check mark), Incoming "Deny", Outgoing "Allow". Easy, peasy, and I have no desire, or need, to create more rules. That said, when I checked the status of my nftables service,

Code: Select all

table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}
I am unsure what the above means, but I then found the following set of commands:

Code: Select all

sudo apt install iptables-nftables-compat
 sudo iptables-save > iptables.dump
 sudo iptables-restore-translate -f iptables.dump > ruleset.nft
 sudo nft -f ruleset.nft
The first one said that the package couldn't be found, but the other three resulted in this when I re-checked the status of the nftables service:

Code: Select all

$ sudo nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}
table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy drop;
		counter packets 1 bytes 91 jump ufw-before-logging-input
		counter packets 1 bytes 91 jump ufw-before-input
		counter packets 0 bytes 0 jump ufw-after-input
		counter packets 0 bytes 0 jump ufw-after-logging-input
		counter packets 0 bytes 0 jump ufw-reject-input
		counter packets 0 bytes 0 jump ufw-track-input
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		counter packets 0 bytes 0 jump ufw-before-logging-forward
		counter packets 0 bytes 0 jump ufw-before-forward
		counter packets 0 bytes 0 jump ufw-after-forward
		counter packets 0 bytes 0 jump ufw-after-logging-forward
		counter packets 0 bytes 0 jump ufw-reject-forward
		counter packets 0 bytes 0 jump ufw-track-forward
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		counter packets 2 bytes 143 jump ufw-before-logging-output
		counter packets 2 bytes 143 jump ufw-before-output
		counter packets 0 bytes 0 jump ufw-after-output
		counter packets 0 bytes 0 jump ufw-after-logging-output
		counter packets 0 bytes 0 jump ufw-reject-output
		counter packets 0 bytes 0 jump ufw-track-output
	}

	chain ufw-after-forward {
	}

	chain ufw-after-input {
		udp dport 137 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
		udp dport 138 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
		tcp dport 139 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
		tcp dport 445 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
		udp dport 67 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
		udp dport 68 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
		fib daddr type broadcast counter packets 0 bytes 0 jump ufw-skip-to-policy-input
	}

	chain ufw-after-logging-forward {
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
	}

	chain ufw-after-logging-input {
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
	}

	chain ufw-after-logging-output {
	}

	chain ufw-after-output {
	}

	chain ufw-before-forward {
		ct state established,related counter packets 0 bytes 0 accept
		icmp type destination-unreachable counter packets 0 bytes 0 accept
		icmp type time-exceeded counter packets 0 bytes 0 accept
		icmp type parameter-problem counter packets 0 bytes 0 accept
		icmp type echo-request counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 jump ufw-user-forward
	}

	chain ufw-before-input {
		iifname "lo" counter packets 0 bytes 0 accept
		ct state established,related counter packets 1 bytes 91 accept
		ct state invalid counter packets 0 bytes 0 jump ufw-logging-deny
		ct state invalid counter packets 0 bytes 0 drop
		icmp type destination-unreachable counter packets 0 bytes 0 accept
		icmp type time-exceeded counter packets 0 bytes 0 accept
		icmp type parameter-problem counter packets 0 bytes 0 accept
		icmp type echo-request counter packets 0 bytes 0 accept
		udp sport 67 udp dport 68 counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 jump ufw-not-local
		ip daddr 224.0.0.251 udp dport 5353 counter packets 0 bytes 0 accept
		ip daddr 239.255.255.250 udp dport 1900 counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 jump ufw-user-input
	}

	chain ufw-before-logging-forward {
	}

	chain ufw-before-logging-input {
	}

	chain ufw-before-logging-output {
	}

	chain ufw-before-output {
		oifname "lo" counter packets 0 bytes 0 accept
		ct state established,related counter packets 2 bytes 143 accept
		counter packets 0 bytes 0 jump ufw-user-output
	}

	chain ufw-logging-allow {
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW ALLOW] "
	}

	chain ufw-logging-deny {
		ct state invalid limit rate 3/minute burst 10 packets counter packets 0 bytes 0 return
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
	}

	chain ufw-not-local {
		fib daddr type local counter packets 0 bytes 0 return
		fib daddr type multicast counter packets 0 bytes 0 return
		fib daddr type broadcast counter packets 0 bytes 0 return
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 jump ufw-logging-deny
		counter packets 0 bytes 0 drop
	}

	chain ufw-reject-forward {
	}

	chain ufw-reject-input {
	}

	chain ufw-reject-output {
	}

	chain ufw-skip-to-policy-forward {
		counter packets 0 bytes 0 drop
	}

	chain ufw-skip-to-policy-input {
		counter packets 0 bytes 0 drop
	}

	chain ufw-skip-to-policy-output {
		counter packets 0 bytes 0 accept
	}

	chain ufw-track-forward {
	}

	chain ufw-track-input {
	}

	chain ufw-track-output {
		ip protocol tcp ct state new counter packets 0 bytes 0 accept
		ip protocol udp ct state new counter packets 0 bytes 0 accept
	}

	chain ufw-user-forward {
	}

	chain ufw-user-input {
	}

	chain ufw-user-limit {
		limit rate 3/minute counter packets 0 bytes 0 log prefix "[UFW LIMIT BLOCK] "
		counter packets 0 bytes 0 reject
	}

	chain ufw-user-limit-accept {
		counter packets 0 bytes 0 accept
	}

	chain ufw-user-logging-forward {
	}

	chain ufw-user-logging-input {
	}

	chain ufw-user-logging-output {
	}

	chain ufw-user-output {
	}
}

I apologize for including all this, however...Gufw says the firewall is functioning okay, but is it using the iptables settings or the nftables settings? Did I manage to migrate the old to the new? Thank you for any comments. Slainte!
Last edited by LockBot on Wed Sep 27, 2023 10:00 pm, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Top
User avatar
Coggy
Level 5
Level 5
Posts: 632
Joined: Thu Mar 31, 2022 10:34 am

Re: nftables - I'm a bit late to the party. Lots of questions.

Post by Coggy »

Interesting. I'm on mint 21.1, and I only use nftables.
I gather that both iptables and nftables can both be active at the same time, but I don't know which takes priority if they disagree.
To see the current iptables rules, use sudo iptables-save which just lists them in iptables command format, suitable for saving to a file and loading again later. It would be interesting to see what your iptables rules are.

It looks to me as though gufw has created suitable nftables rules, dropping INPUT and FORWARD connections but allowing OUTPUT connections, in a typically gufw-complicated way. I guess it's writing nft rules and not iptables rules these days. I would be interested to know for sure.

I believe the nft rules get stored in /etc/nftables.conf, but gufw (which I don't use) may have its own mechanisms.
Top
Armstrong
Level 4
Level 4
Posts: 243
Joined: Tue Sep 11, 2012 12:57 pm

Re: nftables - I'm a bit late to the party. Lots of questions.

Post by Armstrong »

Thank you for the response, Coggy. Here are the results of my from my iptables' rules. I'm not at all sure what any of it means. That said, in the sequence of things, it is my third, and final, firewall.

Code: Select all

# Generated by iptables-save v1.8.4 on Tue Mar 28 19:12:21 2023
*security
:INPUT ACCEPT [2095403:3274921225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [962056:698909263]
COMMIT
# Completed on Tue Mar 28 19:12:21 2023
# Generated by iptables-save v1.8.4 on Tue Mar 28 19:12:21 2023
*raw
:PREROUTING ACCEPT [2113696:3282010757]
:OUTPUT ACCEPT [969384:699523595]
COMMIT
# Completed on Tue Mar 28 19:12:21 2023
# Generated by iptables-save v1.8.4 on Tue Mar 28 19:12:21 2023
*mangle
:PREROUTING ACCEPT [2113696:3282010757]
:INPUT ACCEPT [2098936:3275348637]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [969384:699523595]
:POSTROUTING ACCEPT [962059:698914981]
COMMIT
# Completed on Tue Mar 28 19:12:21 2023
# Generated by iptables-save v1.8.4 on Tue Mar 28 19:12:21 2023
*nat
:PREROUTING ACCEPT [18221:7077414]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [37166:3580955]
:POSTROUTING ACCEPT [29839:2966675]
COMMIT
# Completed on Tue Mar 28 19:12:21 2023
# Generated by iptables-save v1.8.4 on Tue Mar 28 19:12:21 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:194]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -i wlp4s0 -m connmark --mark 0xe1f1 -m comment --comment nordvpn -j ACCEPT
-A INPUT -i enp3s0 -m connmark --mark 0xe1f1 -m comment --comment nordvpn -j ACCEPT
-A INPUT -i wlp4s0 -m comment --comment nordvpn -j DROP
-A INPUT -i enp3s0 -m comment --comment nordvpn -j DROP
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -o wlp4s0 -m mark --mark 0xe1f1 -m comment --comment nordvpn -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -o wlp4s0 -m connmark --mark 0xe1f1 -m comment --comment nordvpn -j ACCEPT
-A OUTPUT -o enp3s0 -m mark --mark 0xe1f1 -m comment --comment nordvpn -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -o enp3s0 -m connmark --mark 0xe1f1 -m comment --comment nordvpn -j ACCEPT
-A OUTPUT -o wlp4s0 -m comment --comment nordvpn -j DROP
-A OUTPUT -o enp3s0 -m comment --comment nordvpn -j DROP
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Tue Mar 28 19:12:21 2023
Top
Locked

Return to “Networking”