Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Using nftables (instead of iptables)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1559
Location: KUUSANKOSKI, Finland

PostPosted: Tue Dec 20, 2016 4:52 pm    Post subject: Using nftables (instead of iptables) Reply with quote

NOTE: the topic title was Looking for a "non-bloated" firewall software, but as the focus is more torwards nftables I decided to change the title.

I'm looking for some kind of nice iptables frontend to easily set up fw-rules. "looking for" as in - seeing if there's any that fit or do I just resort back to using "raw" iptables.
The software should not have any graphical UIs as a requirement, as an alternative remote UI it's fine. I'd avoid any webUIs. I have bad feeling about webUIs. I prefer ssh'ing in and do-what-I-wanna-do-and-big-bada-boom-getouttathere. ncurses would fit in perfectly. And Vuurmuur seems like a good candidate, but I cannot find it from Gentoo portage (haven't searched any overlays yet). So does anybody have experience using it?
Does anyone have any other suggestions?

I'm looking this for my home "all-in-one" server. I'd prefer packages from amd64, meaning as much as possible stable packages.

I might later set up another hardware as a firewall between internet and my lan. But at this point it's only that one PC.

Thanks in advance.
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...


Last edited by Zucca on Fri Jan 06, 2017 12:21 pm; edited 3 times in total
Back to top
View user's profile Send private message
dr_wulsen
n00b
n00b


Joined: 21 Aug 2013
Posts: 72
Location: Beautiful Austria, Lake area in Upper Austria

PostPosted: Tue Dec 20, 2016 8:08 pm    Post subject: Reply with quote

Hi Zucca,

I don't run it myself, but a friend of mine who is admin at a mid-sized company (approx. 400 people) recently suggested firehol to me, as it would make firewalling with iptables more simple.
personally, i'm running iptables on my router with openwrt and the luci interface (can recommend it if you later put some other piece of hardware for firewalling), so I didn't try firehol.

But at least there's an ebuild in the official gentoo tree, net-firewall/firehol

Dunno, if it's what you're seeking. It got no GUI, it does not even have ncurses, but should -according to my admin friend- be easy to get started with, which most likely means it's less complex than raw iptables but will have its own syntax....
_________________
There's no stupid questions, only stupid answers.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43753
Location: 56N 3W

PostPosted: Tue Dec 20, 2016 9:18 pm    Post subject: Reply with quote

Zucca,

Shorewall is a lot less to learn than raw IPtables. There is still a lot of it.
There is also shorewall6 for IPv6
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1559
Location: KUUSANKOSKI, Finland

PostPosted: Tue Dec 20, 2016 9:21 pm    Post subject: Reply with quote

Thanks, dr_wulsen!
Firehol really has the concept of "deny all by default" tought well. It sure loks simplier than raw iptables, but rather learning a new (although) simple language, I'd propably learn nftables. I'll look more closely into firehol if I don't find any with some textUI.

EDIT: Thanks to you Neddy, too!
I've heard shorewall before... At some point I thought of using it, but I don't remember why abandoned it. I'll look into that as well.
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
brendlefly62
Tux's lil' helper
Tux's lil' helper


Joined: 19 Dec 2009
Posts: 93

PostPosted: Wed Dec 21, 2016 4:11 am    Post subject: Reply with quote

I have found shorewall in combination with ipset to be relatively easy and efficient.
I found this helpful: https://forums.gentoo.org/viewtopic-t-863121.html

cheers
Back to top
View user's profile Send private message
Goverp
l33t
l33t


Joined: 07 Mar 2007
Posts: 704

PostPosted: Wed Dec 21, 2016 10:14 am    Post subject: Reply with quote

also net-firewall/ufw
_________________
Greybeard
Back to top
View user's profile Send private message
NTU
Apprentice
Apprentice


Joined: 17 Jul 2015
Posts: 164

PostPosted: Wed Dec 28, 2016 8:58 am    Post subject: Reply with quote

An ipfire-like interface would be awesome, nice little web portal to login and view usage graphs and such. I dug into the source for ipfire trying to figure out how to go about building it for a different distro, the structure for everything is a complete mess and I just gave up. Probably would be easier to just pipe traffic and fw logs and such into an SQL database and view it that way than trying to tear apart ipfire, haven't spent too much time on the whole thing.
Back to top
View user's profile Send private message
C5ace
Apprentice
Apprentice


Joined: 23 Dec 2013
Posts: 290
Location: Brisbane, Australia

PostPosted: Wed Dec 28, 2016 11:55 am    Post subject: Reply with quote

I use a stripped down Bastille Firewall as part of Ispconfig on a Debian server. It's just 3 *.sh files and a configuration file. Very easy to open and close ports by adding and deleting the port numbers in the config file.

-rw-rw-r-- 1 root root 3265 Aug 15 2014 bastille-firewall
-rw-rw-r-- 1 root root 21995 Aug 15 2014 bastille-ipchains
-rw-rw-r-- 1 root root 22578 Aug 15 2014 bastille-netfilter
-rw-rw-r-- 1 root root 17987 Aug 15 2014 bastille_licence.txt
-rw-r--r-- 1 root root 14349 Nov 21 14:15 bastille-firewall.cfg

See app-admin/bastille in portage for the full version.
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1559
Location: KUUSANKOSKI, Finland

PostPosted: Wed Dec 28, 2016 12:00 pm    Post subject: Reply with quote

I've now been playing with vuurmuur.
It has even some monitoring features. The wiki isn't very complete. And I have serious troubles to search trac. I've never actually liked trac webUI. The searches include results from trac manual, which is more than annoying.

Anyways. The rules are simple to adjust and the order of rules can be adjusted with + or - easily.
If I don't get vuurmuur to work the way I like, I might go with raw iptables or nftables even.
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...


Last edited by Zucca on Fri Apr 21, 2017 9:34 am; edited 1 time in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5913

PostPosted: Thu Dec 29, 2016 11:18 pm    Post subject: Reply with quote

I'm already using raw nftables. It's much easier to understand than iptables, probably easier than the config files for some of these wrapper programs even.
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1559
Location: KUUSANKOSKI, Finland

PostPosted: Sun Jan 01, 2017 11:49 am    Post subject: Reply with quote

Ant P. wrote:
I'm already using raw nftables. It's much easier to understand than iptables, probably easier than the config files for some of these wrapper programs even.
That's good to know. I'll get myself more acquainted with nftables. I think I had compiled all nftables stuff in kernel already.
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1559
Location: KUUSANKOSKI, Finland

PostPosted: Wed Jan 04, 2017 1:47 pm    Post subject: Reply with quote

I have had a struggle with vuurmuur and I'm unable to create NAT/MASQ using it. :\ Sad, since I would really have liked a good firewall software with ncurses ui.

My next step is to learn nftables. So far it seems logical. At least to compared to iptables. And it even has its own simple scripting language.

I think I want to compile all nftables stuff into kernel and maybe remove all/some iptables stuff from it. Some features of iptables collide with nftables.
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3399

PostPosted: Wed Jan 04, 2017 3:06 pm    Post subject: Reply with quote

Ant P. wrote:
I'm already using raw nftables. It's much easier to understand than iptables, probably easier than the config files for some of these wrapper programs even.


I'm looking to learn nftables. Are you aware of a basic firewall example? That was really the most effective way for me to learn iptables. I found a basic firewall that allowed outgoing connections, allowed incoming packets that were part of the outgoing connections, and allowed in filtered ssh connections. Starting from those few basics you can add what you need. I'd like the same for nftables, if anyone is aware of it.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1559
Location: KUUSANKOSKI, Finland

PostPosted: Wed Jan 04, 2017 6:39 pm    Post subject: Reply with quote

Gentoo Wiki has some examples. I'm also browsing trough the offical(?) wiki. Particulary the scripting article.

I noticed that if you want to make portable nftables scripts then you'd need to change the shebang to:
Code:
#!/usr/bin/env nft

_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1559
Location: KUUSANKOSKI, Finland

PostPosted: Fri Jan 06, 2017 12:28 pm    Post subject: Reply with quote

Zucca wrote:
I noticed that if you want to make portable nftables scripts then you'd need to change the shebang to:
Code:
#!/usr/bin/env nft
... And I just realised that nft needs a -f -switch to read scripts. And when using env the shell tries to run a program named exactly 'nft -f'.
So I guess it's best to use #!/sbin/nft as a shebang or create a symlink to /usr/bin and use #!/usr/bin/nft.
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Fri Jan 06, 2017 5:26 pm    Post subject: Reply with quote

Zucca wrote:
... And I just realised that nft needs a -f -switch to read scripts. And when using env the shell tries to run a program named exactly 'nft -f'. So I guess it's best to use #!/sbin/nft as a shebang or create a symlink to /usr/bin and use #!/usr/bin/nft.

Zucca ... see: shebang portability and the "the interpretation of the command arguments".

I don't see why you need to make such a script portable, nftables are linux only (so that rules out some percentage of possible hosts) and /sbin will most likely be where you find it, should it be under /usr/local then the user need only edit the script. So, unless you're planning mass deployment I wouldn't worry about hardcoding the path.

best ... khay
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5913

PostPosted: Sun Jan 08, 2017 12:44 am    Post subject: Reply with quote

depontius wrote:
Ant P. wrote:
I'm already using raw nftables. It's much easier to understand than iptables, probably easier than the config files for some of these wrapper programs even.


I'm looking to learn nftables. Are you aware of a basic firewall example? That was really the most effective way for me to learn iptables. I found a basic firewall that allowed outgoing connections, allowed incoming packets that were part of the outgoing connections, and allowed in filtered ssh connections. Starting from those few basics you can add what you need. I'd like the same for nftables, if anyone is aware of it.

I posted my config a while back in this thread. It's mostly hacked together with trial and error since the upstream wiki is a bit obtuse, but it works. Hopefully it's of some use to others.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum