NFTtables

Linux has very advanced and powerful low-level networking management capabilities. Historically, it was iptables, but it has evolved to NFTables.

The difference is not only in the name, but it's deeply rooted in the substance of the Linux kernel.

NFTables is the new, and more powerfull than before, approach to manage the network packets in Linux. In a way, it's simpler, but also more complex than before. If you where used to iptables, NFTables will have similarities, but also quite a lot of differences.

Today there is no reason to stick to iptables anymore.

I am not an expert of these things, i am just a layman trying to write down what i have understood in the best way i can. So please bear with me on the following concepts.

NFTables allows you to insert powerful rules at kernel level to manage how network packets are routed, modified and delivered troughout your Linux machine.

Your computer has at least one, or more, network interfaces. Each network interface can have one or more IP addresses, and belong to one or more subnets.

A network packet enters your computer trough one network interface and it's identified by four basic pieces of information:

• Source address
• Source port
• Destination address
• Destination port

According to those, the packet gets routed inside your computer to it's destination which could be a service running on the computer itself, or it could be sent out to a different network interface toward another ocmputer.

With NFTables you can create tables (guess why it's called that way!) that contains chains, and these chains contain rules that affect how that packet is transformed.

You could write rules to drop unwanted packets or you can replace any of those four pieces of information associated to the packet for your specific needs.

When you change a packet, you are doing some kind of NAT (Network Address Translation) operation to the packet itself.

There are different kinds of NAT:

• SNAT / Source NAT: where the source of the packed is changed
• DNAT / Destination NAT: where the destination of the packet is changed
• Masquerading: a kind of DNAT for dynamic packets, used when you don't know the original packet information that has been replaced.

SNAT is typically done to send out packets from your LAN, where your gateway replaces the source address of the packet with it's own address, so that any replies from upstream can reach the gateway. The gateway will then keep track of the original, internal, address of your computer so that the reply can be routed back to you.

Masquerading, in this case, is often preferred to SNAT when the gateway external IP is dinamic.

DNAT is also called port forwarding, and it's used when you want to force a packet go trough a different route than it was meant to. This can be useful, for example, to redirect public traffic toward your private tunnel back to your home. It's kind of the opposite of SNAT, often not needed by simple home users, it become necessary for self-hosters who want the external world to reach their self-hosted services.

Remember: always enclose nft commands with ' to avoid them being mis-parsed by the shell.

You can create as many tables as you need, each one with it's own name. NFTables have no limitation on this, and the table names have no meaning except keep rules well sorted and human-readable.

A quick cheatsheet:

nft -a 'list tables' # list all tables
nft 'add table ip myTable' # create a new table
nft -a 'list table myTable' # list chains and rules in myTable
nft 'delete table myTable' # delete a table

Remember: always enclose nft commands with ' to avoid them being mis-parsed by the shell.

There are no predefined chains. You can create two types of chains: base chains which are hooked into the kernel hook points, or normal chains which are used only if you add rules fro mbase chains to jump to those normal chains.

To create a base chain to the table:

nft 'add chain ip myTable myChain { type nat hook prerouting priority -100 \; }'

there are three types of base chains:

• filter: which is used to filter packets. This is supported by the arp, bridge, ip, ip6 and inet table families.
• route: which is used to reroute packets if any relevant IP header field or the packet mark is modified. If you are familiar with iptables, this chain type provides equivalent semantics to the mangle table but only for the output hook (for other hooks use type filter instead). This is supported by the ip, ip6 and inet table families.
• nat: which is used to perform Networking Address Translation (NAT). Only the first packet of a given flow hits this chain; subsequent packets bypass it. Therefore, never use this chain for filtering. The nat chain type is supported by the ip, ip6 and inet table families.

And there are the following possible hooks:

• ingress: sees packets immediately after they are passed up from the NIC driver, before even prerouting. So you have an alternative to tc.
• prerouting: sees all incoming packets, before any routing decision has been made. Packets may be addressed to the local or remote systems.
• input: sees incoming packets that are addressed to and have now been routed to the local system and processes running there.
• forward: sees incoming packets that are not addressed to the local system.
• output: sees packets that originated from processes in the local machine.
• postrouting: sees all packets after routing, just before they leave the local system

Priority will decide which chains in the same type will be traversed first.

To delete chains:

nft 'delete chain ip myTable myChain'

Rules take action on network packets (e.g. accepting or dropping them) based on whether they match specified criteria. Each rule consists of zero or more expressions followed by one or more statements. Each expression tests whether a packet matches.

By default, new added rules are always appended to the chain. You can insert rules to the start of the chain instead.

To list rules:

nft -a 'list table myTable' # by table
nft -a 'list chain myTable mychain' # by chain in table

As a general rule, adding -a to the list command will also print the rules handle number, which can be used later to edit or delete (or insert before) rules.

The rules support the following operations:

• eq which stands for equal. Alternatively you can use ==.
• ne which stands for not equal. Alternatively you can use !=.
• lt which stands for less than. Alternatively you can use <.
• gt which stands for greater than. Alternatively you can use >.
• le which stands for less than or equal to. Alternatively you can use ⇐.
• ge which stands for greater than or equal to. Alternatively you can use >=.

Any rule is composed of an (optional) matching expression and one or more actions.

You can match metainformation, see here or you can match packet headers, or you can match routing information or even contrack metainfo.

Check the official pages for more details, as it would be too much to synthetize here. In general the most common matching is agains routing information (es: source/destination address or port).

Acting is even more powerful and complex… Check here for a full list of all the actions that you can take on a match.

The most useful actions are probably the NAT related actions.

This link contains lots of information on spoecific syntax for NFTables.

Pretty easy on Gentoo, just emerge it:

emerge -v net-firewall/nftables

You could want to enable, globally, the nft USE flag and disable the -iptables USE flag as well, then perform a –newuse emerge:

echo "*/* -iptables nft" >> /etc/portage/package.use/nftables
emerge --newuse @world