iptables
, ip6tables
, arptables
y ebtables
commands.
nft
command. Since Debian Buster, the nftables framework is used by default. The commands mentioned before are provided by versions, which use the nftables kernel API, by default. If one requires the “classic“ commands, the relevant binaries can be adjusted using update-alternatives
.
#
apt install -y nftables
Leyendo lista de paquetes... Hecho ... #
systemctl enable nftables.service
Created symlink /etc/systemd/system/sysinit.target.wants/nftables.service → /lib/systemd/system/nftables.service.
ip
, ip6
, inet
, arp
y bridge
. Se usa ip
si no se especifica la familia.
accept
, drop
, queue
, continue
, return
, jump chain
y goto chain
.
iptables-translate
and ip6tables-translate
commands can be used to translate old iptables commands into the new nftables syntax. Whole rule sets can also be translated, in this case we migrate the rules configured in one computer which has Docker installed:
#
iptables-save > iptables-ruleset.txt
#
iptables-restore-translate -f iptables-ruleset.txt
# Translated by iptables-restore-translate v1.8.9 on Wed Aug 14 00:35:02 2024 add table ip filter add chain ip filter INPUT { type filter hook input priority 0; policy accept; } add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; } add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; } add chain ip filter DOCKER add chain ip filter DOCKER-ISOLATION-STAGE-1 add chain ip filter DOCKER-ISOLATION-STAGE-2 add chain ip filter DOCKER-USER add rule ip filter FORWARD counter jump DOCKER-USER add rule ip filter FORWARD counter jump DOCKER-ISOLATION-STAGE-1 add rule ip filter FORWARD oifname "docker0" ct state related,established counter accept add rule ip filter FORWARD oifname "docker0" counter jump DOCKER add rule ip filter FORWARD iifname "docker0" oifname != "docker0" counter accept add rule ip filter FORWARD iifname "docker0" oifname "docker0" counter accept add rule ip filter DOCKER-ISOLATION-STAGE-1 iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2 add rule ip filter DOCKER-ISOLATION-STAGE-1 counter return add rule ip filter DOCKER-ISOLATION-STAGE-2 oifname "docker0" counter drop add rule ip filter DOCKER-ISOLATION-STAGE-2 counter return add rule ip filter DOCKER-USER counter return add table ip nat add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; } add chain ip nat INPUT { type nat hook input priority 100; policy accept; } add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; } add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; } add chain ip nat DOCKER add rule ip nat PREROUTING fib daddr type local counter jump DOCKER add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER add rule ip nat POSTROUTING oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade add rule ip nat DOCKER iifname "docker0" counter return # Completed on Wed Aug 14 00:35:02 2024 #
iptables-restore-translate -f iptables-ruleset.txt > ruleset.nft
#
nft -f ruleset.nft
#
nft list ruleset
# Warning: table ip nat is managed by iptables-nft, do not touch! table ip nat { chain DOCKER { iifname "docker0" counter packets 0 bytes 0 return iifname "docker0" counter packets 0 bytes 0 return } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade } chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; fib daddr type local counter packets 0 bytes 0 jump DOCKER fib daddr type local counter packets 0 bytes 0 jump DOCKER } chain OUTPUT { type nat hook output priority -100; policy accept; ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER } chain INPUT { type nat hook input priority 100; policy accept; } } # Warning: table ip filter is managed by iptables-nft, do not touch! table ip filter { chain DOCKER { } chain DOCKER-ISOLATION-STAGE-1 { iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2 counter packets 0 bytes 0 return iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2 counter packets 0 bytes 0 return } chain DOCKER-ISOLATION-STAGE-2 { oifname "docker0" counter packets 0 bytes 0 drop counter packets 0 bytes 0 return oifname "docker0" counter packets 0 bytes 0 drop counter packets 0 bytes 0 return } chain FORWARD { type filter hook forward priority filter; policy drop; counter packets 0 bytes 0 jump DOCKER-USER counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1 oifname "docker0" ct state related,established counter packets 0 bytes 0 accept oifname "docker0" counter packets 0 bytes 0 jump DOCKER iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept counter packets 0 bytes 0 jump DOCKER-USER counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1 oifname "docker0" ct state established,related counter packets 0 bytes 0 accept oifname "docker0" counter packets 0 bytes 0 jump DOCKER iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept } chain DOCKER-USER { counter packets 0 bytes 0 return counter packets 0 bytes 0 return } chain INPUT { type filter hook input priority filter; policy accept; } chain OUTPUT { type filter hook output priority filter; policy accept; } }
iptables-nft
, ip6tables-nft
, arptables-nft
, ebtables-nft
son versiones de iptables que usan la API de nftables, de forma que los usuarios puedan seguir usando la vieja sintaxis de iptables con ellas, pero no se recomienda; estas herramientas solo deberían usarse para compatibilidad inversa.
nft
permiten manipular tables, cadenas y reglas. La opción table
admite varias operaciones: add
, create
, delete
, list
y flush
. nft add table ip6 mangle
añade una nueva tabla de la familia ip6
.
filter
, puede ejecutar la siguiente orden (tenga en cuenta que se debe escapar el punto y coma con una barra invertida cuando se usa Bash):
#
nft add chain filter input { type filter hook input priority 0 \; }
nft add rule [familia] tabla cadena handle handle statement
.
insert
es similar a la orden add
, pero la regla proporcionada se antepone al principio de la cadena o antes de la regla con el handle proporcionado en vez de al principio o al final de la regla. Por ejemplo, la siguiente orden inserta una regla ante de la regla con el handle número 8:
#
nft insert rule filter output position 8 ip daddr 127.0.0.8 drop
nft
ejecutadas no realizan cambios permanentes en la configuración, así que se pierden si no se guardan. Las reglas del cortafuegos se encuentran en /etc/nftables.conf
. Una forma simple de guardar la configuración actual del cortafuegos es ejecutando nft list ruleset > /etc/nftables.conf
como superusuario.
nft
permite muchas más operaciones, consulte su página de manual nft(8) para más información.
/etc/nftables.conf
and execute systemctl enable nftables
as root. You can stop the firewall by executing nft flush ruleset
as root.
up
del archivo /etc/network/interfaces
. En el siguiente ejemplo, el script está guardado como /usr/local/etc/arrakis.fw
.
Ejemplo 14.1. archivo interfaces
llamando al script del firewall
auto eth0 iface eth0 inet static address 192.168.0.1 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 up /usr/local/etc/arrakis.fw