Firewall configuration is a fundamental aspect of securing Linux systems by filtering network traffic and controlling access. Linux traditionally used iptables as the primary firewall tool, which organizes rules to filter packets based on various criteria. More recently, nftables has emerged as a modern, flexible replacement that simplifies rule management and boosts performance. =
Basics of iptables
iptables organizes firewall logic into tables and chains that process packets at defined stages. The list below introduces these components along with practical command examples and best practices.
Structure of iptables
1. Tables: iptables organizes rules into tables, each for a specific type of processing:
filter (default): handles packet filtering (accept/drop)
nat: for network address translation (port forwarding, masquerading)
mangle: modifies packet headers for QoS and routing
raw: handles packets exempt from connection tracking
2. Chains: Within tables, chains represent sequences of rules applied to network packets at certain hooks:
INPUT (incoming packets)
OUTPUT (outgoing packets)
FORWARD (packets routed through the system)
3. Rules: Chains contain rules specifying criteria (protocol, ports, IP addresses) and actions (ACCEPT, DROP, REJECT, LOG).
Basic iptables Command Examples
List rules: iptables -L -v -n
Accept SSH on port 22: iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Drop traffic from a specific IP: iptables -A INPUT -s 192.168.1.100 -j DROP
Important Considerations: When configuring firewall rules, the order of rules is critical because the first matching rule is applied and subsequent rules are ignored. Additionally, separate rule sets must be defined for IPv4 and IPv6 traffic, as they are managed independently using iptables and ip6tables respectively.
Introduction to nftables
nftables provides a unified firewall framework that supports IPv4, IPv6, ARP, and bridged traffic within a single system, eliminating the need to manage separate tools and rule sets. Its clearer and more consistent syntax simplifies firewall configuration and maintenance, making rules easier to read and manage.
Additionally, nftables improves performance by optimizing rule evaluation and reducing duplication, resulting in more efficient and scalable firewall management.
nftables Structure
Tables: containers for rules, e.g., inet table supports both IPv4 & IPv6.
Chains: similar to iptables, but defined per table with specified hook and policy.
Rules: composed of expressions to match packets and verdict (accept, drop).
Basic nftables Commands
1. Create a table: nft add table inet filter
2. Add chains (e.g., input chain):
nft add chain inet filter input { type filter hook input priority 0\; policy drop\; }3. Allow SSH traffic on port 22:
nft add rule inet filter input tcp dport 22 accept4. Drop traffic from an IP:
nft add rule inet filter input ip saddr 192.168.1.100 dropAdvantages Over iptables
The ability to define a single rule that applies to both IPv4 and IPv6 traffic, reducing duplication and configuration effort. Its structured and more readable ruleset makes firewall policies easier to understand, manage, and maintain over time.
Additionally, nftables supports advanced features such as set-based matching, enabling efficient bulk operations and improved performance when handling large numbers of rules or addresses.
Advanced Rule Creation
Advanced rule creation enables fine-grained traffic control and optimized firewall behavior. The techniques below demonstrate how state tracking, rate limiting, and rule management are implemented.
Common Advanced Filtering Techniques
1. Stateful Filtering: Allow established and related packets to pass, blocking others:
iptables: iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
nftables: nft add rule inet filter input ct state established,related accept
2. Rate Limiting: Prevent brute force or flooding attacks:
nftables example: limit SSH connections
nft add rule inet filter input tcp dport 22 limit rate 3/minute accept3. Port Forwarding and NAT
Setting up NAT with iptables requires configuring the nat table.
nftables supports NAT hooks for modern address translation.
Rule Management Commands
1. List all ruleset:
iptables-save (iptables)
nft list ruleset (nftables)
2. Delete specific rules:
iptables -D with rule specification or number
nft delete rule with handle number
3. Flush all rules for reset:
iptables -F
nft flush chain
We have a sales campaign on our promoted courses and products. You can purchase 1 products at a discounted price up to 15% discount.