In Red Hat Enterprise Linux 8 the network security dynamic duo Firewalld and Nftables make their new team debut.
NFTables (replacing IPTables) is a new subsystem of the Linux kernel which provides filtering and classification of network packets, datagrams, or frames. This software provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool.
The default firewall management tool in continues to be firewalld (firewall-cmd), which gained support for nftables with version 0.6.0.
|
ℹ️
|
For 99% of all use cases the firewalld tools are the best choice. For this lab however we are trying to introduce nft and demonstrate some differences to the former iptables.
|
For the first part of this lab we will be using node2. As the user root on host workstation.example.com you should ssh to node2.example.com. You should not be prompted for a password.
ssh node2.example.com
Verify that you are on the right host for these exercises.
cheat-nftables-checkhost.sh
You are now ready to begin your exercises.
Using nft, show the current state of the network tables.
nft list tables
table ip filter
table ip6 filter
table bridge filter
table ip security
table ip raw
table ip mangle
table ip nat
table ip6 security
table ip6 raw
table ip6 mangle
table ip6 nat
table bridge nat
table inet firewalld
table ip firewalld
table ip6 firewalldUsing nft, show the current state of the network chains.
nft list chains
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
...<snip>...|
ℹ️
|
The output for this can be VERY long. You can optionally use nft list chains | less if you would like a pageable view of the output.
|
nft insert rule ip filter INPUT tcp dport http accept
Verify the rule change.
nft list table ip filter -n -a
table ip filter { # handle 1
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
tcp dport http accept # handle 4
}
chain FORWARD { # handle 2
type filter hook forward priority 0; policy accept;
}
chain OUTPUT { # handle 3
type filter hook output priority 0; policy accept;
}
}Remember the rule handle, we will use it next to delete the rule
nft delete rule filter INPUT handle 4
Verify the rule change.
nft list table ip filter -n -a
table ip filter { # handle 1
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
}
chain FORWARD { # handle 2
type filter hook forward priority 0; policy accept;
}
chain OUTPUT { # handle 3
type filter hook output priority 0; policy accept;
}
}nft insert rule ip filter INPUT tcp dport { ssh, http, https, 8181 } accept
Verify the new rules.
nft list table ip filter -n -a
table ip filter { # handle 1
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
tcp dport { ssh, http, https, 8181 } accept # handle 6
}
chain FORWARD { # handle 2
type filter hook forward priority 0; policy accept;
}
chain OUTPUT { # handle 3
type filter hook output priority 0; policy accept;
}
}|
|
DO NOT do this step unless you successfully completed "Add Multiple Rules at Once" above. You will get locked out of your network conneciton to node2.example.com if you have not. |
Set the INPUT chain default policy to drop all traffic not specifically accepted.
nft add chain ip filter INPUT { type filter hook input priority 0\; policy drop\; }
Verify Increased Security
nft list table ip filter -n -a
table ip filter { # handle 1
chain INPUT { # handle 1
type filter hook input priority 0; policy drop;
tcp dport { ssh, http, https, 8181 } accept # handle 6
}
chain FORWARD { # handle 2
type filter hook forward priority 0; policy accept;
}
chain OUTPUT { # handle 3
type filter hook output priority 0; policy accept;
}
}Remove rules added during this exercise. We begin by setting the INPUT chain default policy to accept all traffic.
nft add chain ip filter INPUT { type filter hook input priority 0\; policy accept\; }
Now find the handle and remove the rule currently allowing access for SSH, HTTP, HTTPS, and 8181
nft list table ip filter -n -a
table ip filter { # handle 1
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
tcp dport { ssh, http, https, 8181 } accept # handle 6
}
chain FORWARD { # handle 2
type filter hook forward priority 0; policy accept;
}
chain OUTPUT { # handle 3
type filter hook output priority 0; policy accept;
}
}In the output above, we determine the handle for our rule is '6'.
nft delete rule filter INPUT handle 6
|
ℹ️
|
You can also use the 'flush' option to clear an entire table: nft flush table ip filter
|
Verify that everything is back to normal
nft list table ip filter -n -a
table ip filter { # handle 1
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
}
chain FORWARD { # handle 2
type filter hook forward priority 0; policy accept;
}
chain OUTPUT { # handle 3
type filter hook output priority 0; policy accept;
}
}You can find more information: