Firewall Setup: Iptables/Nftables Basics and Advanced Rule Creation

Firewall configuration is a fundamental aspect of securing Linux systems by filtering network traffic and controlling access. Linux traditionally used iptables as the primary firewall tool, which organizes rules to filter packets based on various criteria. More recently, nftables has emerged as a modern, flexible replacement that simplifies rule management and boosts performance. =

Basics of iptables

iptables organizes firewall logic into tables and chains that process packets at defined stages. The list below introduces these components along with practical command examples and best practices.

Structure of iptables

1. Tables: iptables organizes rules into tables, each for a specific type of processing:

filter (default): handles packet filtering (accept/drop)

nat: for network address translation (port forwarding, masquerading)

mangle: modifies packet headers for QoS and routing

raw: handles packets exempt from connection tracking

2. Chains: Within tables, chains represent sequences of rules applied to network packets at certain hooks:

INPUT (incoming packets)

OUTPUT (outgoing packets)

FORWARD (packets routed through the system)

3. Rules: Chains contain rules specifying criteria (protocol, ports, IP addresses) and actions (ACCEPT, DROP, REJECT, LOG).

Basic iptables Command Examples

List rules: iptables -L -v -n

Accept SSH on port 22: iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Drop traffic from a specific IP: iptables -A INPUT -s 192.168.1.100 -j DROP

Important Considerations: When configuring firewall rules, the order of rules is critical because the first matching rule is applied and subsequent rules are ignored. Additionally, separate rule sets must be defined for IPv4 and IPv6 traffic, as they are managed independently using iptables and ip6tables respectively.

Introduction to nftables

nftables provides a unified firewall framework that supports IPv4, IPv6, ARP, and bridged traffic within a single system, eliminating the need to manage separate tools and rule sets. Its clearer and more consistent syntax simplifies firewall configuration and maintenance, making rules easier to read and manage.

Additionally, nftables improves performance by optimizing rule evaluation and reducing duplication, resulting in more efficient and scalable firewall management.

nftables Structure

Tables: containers for rules, e.g., inet table supports both IPv4 & IPv6.

Chains: similar to iptables, but defined per table with specified hook and policy.

Rules: composed of expressions to match packets and verdict (accept, drop).

Basic nftables Commands

1. Create a table: nft add table inet filter

2. Add chains (e.g., input chain):

3. Allow SSH traffic on port 22:

4. Drop traffic from an IP:

Advantages Over iptables

The ability to define a single rule that applies to both IPv4 and IPv6 traffic, reducing duplication and configuration effort. Its structured and more readable ruleset makes firewall policies easier to understand, manage, and maintain over time.

Additionally, nftables supports advanced features such as set-based matching, enabling efficient bulk operations and improved performance when handling large numbers of rules or addresses.

Advanced Rule Creation

Advanced rule creation enables fine-grained traffic control and optimized firewall behavior. The techniques below demonstrate how state tracking, rate limiting, and rule management are implemented.

Common Advanced Filtering Techniques

1. Stateful Filtering: Allow established and related packets to pass, blocking others:

iptables: iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

nftables: nft add rule inet filter input ct state established,related accept

2. Rate Limiting: Prevent brute force or flooding attacks:

nftables example: limit SSH connections

3. Port Forwarding and NAT

Setting up NAT with iptables requires configuring the nat table.

nftables supports NAT hooks for modern address translation.

Rule Management Commands

1. List all ruleset:

iptables-save (iptables)

nft list ruleset (nftables)

2. Delete specific rules:

iptables -D with rule specification or number

nft delete rule with handle number

3. Flush all rules for reset:

iptables -F

nft flush chain