Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
from iptables to nftables: I need serious guidance.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
alexcortes
Apprentice
Apprentice


Joined: 18 Dec 2011
Posts: 205
Location: Rio de Janeiro, Brazil

PostPosted: Mon Mar 24, 2014 11:35 pm    Post subject: from iptables to nftables: I need serious guidance. Reply with quote

Hello,


I'm on kernel 3.12.14 but when the 3.14 be out I'll switch and I want to already have a working nftables script. I'm looking/trying to convert my current iptables script to nftables but I'm not firewall savvy on any way.

I'm reading several the nftables documentation I found, and it's still crazy for me and seems missing information.

My current iptbales script:

Code:
iptables -F
iptables -X
iptables -Z

iptables -N TCP
iptables -N UDP

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable #icmp-port-unreach
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset #tcp-rst
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable #icmp-proto-unreach

iptables -A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP

iptables -A TCP -s 10.0.0.0/16 -p tcp --dport 22 -j ACCEPT


This is the nftables tentative (where I stoped and I don't have idea if it make sense) :x:
Code:
nft add chain TCP
nft add chain UDP

nft add rule filter input drop
nft add rule filter input accept
nft add rule forward input drop

nft add rule filter output oif lo accept
nft add rule filter input conntrack ct state invalid counter drop
nft add rule filter input conntrack ct state established,related counter accept
nft add rule filter input type 8 conntrack ct state new counter accept
nft add rule filter input udp conntrack ct state new counter UDP
nft add rule filter input TCP tcp flags FIN,SYN,RST,ACK SYN conntrack ct state new TCP

nft add rule filter input udp ct state new reject type icmp-port-unreachable
nft add rule filter input tcp ct state new reject type tcp-reset
nft add rule filter input ct state new reject type icmp-proto-unreachable


Thanks!!!
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 241
Location: Strasbourg, france.

PostPosted: Tue Mar 25, 2014 7:53 am    Post subject: Reply with quote

First off, iptables won't be dropped in the foreseeable future, so don't feel rushed. That being said, nftables is fun :)

A nftables rules file is a lot easier to read and maintain than a bash script with all the commands needed to achieve the state of the firewall. Have a look at this: https://wiki.archlinux.org/index.php/Nftables
Have a go at converting your script to that syntax, there's all you need on that wiki for basic tcp/udp, ct, tcp flags. If something isn't covered by it, we'll have a look at http://lwn.net/Articles/324251/ and get it working.

Then post what you come up with, and we'll have a look. I can even test your rules, but if you want to do so yourself you just need a 3.13 kernel.
Code:
=sys-kernel/gentoo-sources-3.13.5 ~amd64
=net-libs/libnftnl-1.0.0-r2 ~amd64
=net-firewall/nftables-0.099 ~amd64
=app-arch/lz4-0_p106-r1 ~amd64

and then:
Code:
emerge -a nftables

And you're good to go :)
Back to top
View user's profile Send private message
alexcortes
Apprentice
Apprentice


Joined: 18 Dec 2011
Posts: 205
Location: Rio de Janeiro, Brazil

PostPosted: Wed Mar 26, 2014 6:16 am    Post subject: Reply with quote

@SirRobin2318

Thank you for your input. I will leave it for a while until the 3.14 out, I don't want to compile the 3.13.X now and next week the 3.14. :)
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Wed Mar 26, 2014 6:25 am    Post subject: Reply with quote

please document as you go https://wiki.gentoo.org/wiki/Nftables is pretty baron. even if you slaughter formatting ill come by and fix it eventually.
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 241
Location: Strasbourg, france.

PostPosted: Wed Mar 26, 2014 2:50 pm    Post subject: Reply with quote

@666
you can take this: https://wiki.archlinux.org/index.php/Nftables#Limit_rate_and_tcp_flags_IP.2FIPv6_Firewall
I'm the one that contributed it.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum