An idiot try nftables

[kgdrenefort]

Hello,

So, to keep on the up-to-date good way of doing things, I find out it's not a good things to use iptables anymore. New cool toy seems to be ntftables.

What a pain ! 

First things first: I'm not very good with network, to stay nice.

Before, I was doing an iptables conf file just sending the rules at each boot while a service was made to be enabled and run theses rules. Was perfectly working, specially my needs were merely to disable everything and allow 80/443/22, plus a few stuff as ICMP.

It seems almost the same with nftables, from what I read on the wiki, but way more sophiscated (and complicated).

From what I understand, it works with at least a configuration files, which can call other modules files with their own sets of rules (DCHP, ICMP, SSH…).

So far as I was used to, there was three type of rules (with IPTables): IN, OUT and FORWARDED.

I tried to follow this page, by doing the magic thinking (while reading a bit what it was adding) and so from the wiki page I have now theses files:

- /etc/nftables.rules
- /etc/nftables.conf.d/:
00-definitions.rules 01-drop-policy.rules 01-icmp.rules 05-dhcp.rules 05-lan-nat.rules 21-ntp.rules 22-ssh.rules

Without modification from the wiki.

Then I try to test the configuration, and the first problem arise:

[kgdrenefort]

[kgdrenefort]

After some talking on #gentoo-chat, it could be all ok in the end.

I'm checking files individualy, but if one of these is requesting stuff from other, it will fails because there are not presents.

So, it's just needed to check from /etc/nftables.rules, is that right ?

Regards,
GASPARD DE RENEFORT Kévin
_________________
wiki/User:Kgdrenefort/captain_logs My system info
G. does not have problems, only learning opportunities. - NeddyS.
If your installation isn't valuable to you, feel free to continue to ignore the instructions. - figue.

[pietinger]

If you have already a configuration for iptables then you might be interested in this article:
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

(The whole wiki is great: https://wiki.nftables.org/wiki-nftables/index.php/Main_Page )
_________________
https://wiki.gentoo.org/wiki/User:Pietinger

[kgdrenefort]

[kgdrenefort]

After writing this, I realize it's… blurry, but that will allows you to take a look into my sick mind .

So, if I understand, NFTables works this way:

Tables that contains chains that contains rules that contains an or several actions to apply.

A tables is a whole sets of chains.

A chains is a set of rules.

A rules contains one or more actions regarding what is presented to it, the condition.

Lastly, the action is what is made of this request (forward it, accept it, reject it, maybe logs it…).

Example:

I open to internet port 22 for SSH, I would have a table for the SSH rules in general in my NFTables. Another one for HTTP (and maybe another one for HTTPS ?), another one for MariaDB, etc…

This tables will contains different chains, for different type of request, a service in this case, working on different ports and protocoles (TCP/UDP, or none in ICMP case).

A request for SSH will be presented from a non-allowed IP.

The request is taked care by the ssh tables, that will pass it to a chain, then the request will be, as in an if-else statement in programing be oriented to the proper rule (it's an example). Here, the rules see an allowed protocole/port/service, SSH, but for a non-allowed IP, so it'll apply an action from a rule dedicated to these non-allowed request. Rejecting it.

Or simply: Non-allowed SSH request is oriented in SSH tables, containing all chains for taking care of it, NFTables does not sees it in an allowed-list and then reject it.

To achieve that, a table have to be created, then it's chains, with for each a rule that is doing from my config an ACCEPT, REJECT or anything else needed. In this case, REJECT to drop that non-desired request.

Or another way, to sees it:

Tables: SSH
SSH tables would contain: A chain that is stating that SSH is on an opened port (22), for TCP/UDP protocols only.
A reject rules (among other): If the IP requesting to access port 22 (TCP/UDP) for SSH service is redirected to it, it will check it's own rule.
Reject rules: Not an allowed IP as request, action is take.
Non allowed request action: REJECT (block/drop it).

The big difference, among other, from IPTables:

While, IPTables, would be way more simple and simply take the request and apply the action against a rule, in a single file mostly, making it hard for big networks or even for complex sets, while NFTable allow you to:

Separate your config among several files, each of them has it's role to play, for a specific service. While IPTables is a single file methods, without allowing you to create variable-likes naming for what you want, making it deeply confusing in some cases.

The main configuration file could be at /etc, then a subfolder contains other configuration file (if desired, I guess it's an allowed choice to separate, not an obligation as you would see from a nginx.conf file separating host and document roots in other config file). The main is merely asking to check these other config file after it blocked by defaults everything and declare the tables that would be used.

Each tables (named and declared in the main config file) is a reference to one of these sub-config file, that would be read when needed (probably not the proper way to sees it, but that is how I do for now). To keep my example, the main file will say a SSH table exist (and I have to create it myself, because it's a subconfig file). So we can see a subconfig file as a sets of rules, contained into a table file.

Then when a request is made to SSH, it's redirected to that table file (XX-ssh.rules for example), which will separate the differents actions (ACCEPT, REJECT, etc) among it's chains, into the tables (which is a file).

The table, which is just a convenient way to declare a sets of request, chains are kind of if-statement condition, if it gets a request for it (from the condition into the table file), it'll compare it agains several rules. So main file is declaring tables, which are separated file (if wanted), containing if-else like (still an example, not the best) chains, which are matched against the request (IP, protocole, ports, the content…).

Each chain would then redirect the request to a rule, where a request is (according to it's condition) taken care of by action(s). The rule can be seen as a case, like a switch-case in programming too, for example. Once a chain forward the request to the rule, it simply apply what the administrator asked (ACCEPT, REJECT…). That is the action that is the final process, before it's just a workflow to redirect the request to the proper action.

Is it… Correct, more or less ? I guess what I try to say in this replies is full of approximations, I miss in the process the concept of hook, which once translated to french makes me things of something that grab another thing, like a fish or an annoying kid.

My head hurts !

PS: After 10 reading of my post, I can't explain what I think I understood better, sorry.

Regards,
GASPARD DE RENEFORT Kévin
_________________
wiki/User:Kgdrenefort/captain_logs My system info
G. does not have problems, only learning opportunities. - NeddyS.
If your installation isn't valuable to you, feel free to continue to ignore the instructions. - figue.

[pietinger]

kgdrenefort,

iptables and nftables do the same job: Giving some rules to the kernel. Yes, the kernel is the firewall.

A table is a hook to a special protocol. You dont see different tables in iptables BECAUSE iptables handels ONLY IPv4 traffic. The same is true for ip6tables. With nftables you can handle many different protocols - so, you can define more tables; e.g a table for filtering IPv4, and a table for filtering IPv6, and a table for inet (tables of this family see both IPv4 and IPv6 traffic/packets, simplifying dual stack support), and a table for ARP (in the past this was handled from arptables).

A chain is a hook to the appropriate Netfilter hook. With iptables you have 3 pre-defined chains ... you dont have with nftables. Here you have define them yourself (most Users of nftables use the same names: INPUT, OUTPUT and FORWARD, haha).

And yes, these chains contains your rules.

One difference most user dont understand when switching from iptables to nftables is:

With iptables you can mix your chains when defining rules. This is possible in a script:

[kgdrenefort]

Thanks for such a complete and time-consumming answer !

About a few points (because I'll have to re-read all that later to assimilate it a bit):

2. Simply because it's probably made from fail2ban and added to it, in addition to my rules:

[pietinger]

[kgdrenefort]

[pietinger]

First of all: A Firewall is only ONE piece of many to secure a machine. Other pieces are: a hardened Kernel, a MAC like SELinux or AppArmor, integrity Management (like IMA) and maybe also some efforts for privacy (DNS over TLS; Cookie handling in browser; ...)

[kgdrenefort]

Wow, never thinked before I would read so much about packets, that's really the field I hate the most in IT !

That is interesting, but can't say I understood all of your old posts, but I have a link to bookmark for later reading when I would need it. Well made.

[Hu]

[pietinger]

[pietinger]

[kgdrenefort]

Thanks for your replies.

I have started to setup a proper trio with QEMU/LibVirt/Virt-Manager, my goal was to add it to my host and then do some testing with firewall.

But found out, as remembered because I did not does that in years, that I'll need at this point NAT or bridge.

After some reading, my conclusion is in this case I need NAT: It'll give to my VM it's personal private IP, while bridge will just gives an interface (e.g 'br0') to reach my VM. Which is probably not what I want, since I wanted to test connectivity between two machines, using VMs.

And that's the catch: I need a firewall configured ! Fat luck, it was to test it.

Turns out, as usual, I complicated my life, a lot, while I could simple run another low-power machine and try out. I have two laptop with Gentoo, one could be the firewalled machine and the other the reaching, or my host…

So, NAT is more convenient in my case, having it's own private IP in my network, would ease to me (I think !) to simulate interactions in my network.

At least, that is my conclusion.

Regards,
GASPARD DE RENEFORT Kévin
_________________
wiki/User:Kgdrenefort/captain_logs My system info
G. does not have problems, only learning opportunities. - NeddyS.
If your installation isn't valuable to you, feel free to continue to ignore the instructions. - figue.

[toralf]

[kgdrenefort]

[pietinger]

[kgdrenefort]

Hello,

Today I had the time to finish the comments on the file below.

It's merely to try to understand what parts are doing, which will surely helps me later to create the actual rules from the chains and table defined here. Could you, please, tell me if it's seems I understood a bit better what's going on in that file ?

[nicop]

Hi,

Several comments :
why not default values for priorities ? : https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook

netdev/chain ingress_filter :
if you really want an "ingress" hook, you have to specify the ingress hook and a device (cf nftables : the ingress hook is attached to a particular network interface. )
example : type filter hook ingress devices = { ethX, ethY }

inet/base_filter :
It's counter intuitive to put an output rule (oifname lo) in a chain that will also be applied in an input hook.
iifname/oifname is useless for lo because it's always the first created. iif lo/oif lo are preferred.
The suffix "name" is useful for dynamics interfaces : ppp, vpn ...

inet/output :
you'll get trouble with a drop policy with the output hook. Otherwise, a very long list of exceptions will be required.

[kgdrenefort]

Hello,

This is from this link from the Gentoo's wiki: https://wiki.gentoo.org/wiki/Nftables#Modular_Ruleset_Management

Since I'm not in ease on this subject, I try to not start from scratch, but at the same time I try to figure out what's going on into that file.

This is my exact needs, but in the big lines:

- Block everything (of course) that is incoming.
- Allow useful stuff as ICMP tho, the good way, not just blocking it blindly.
- Allow only a few ports for the needed services, that would be mostly: 80/443 & 22 a few weeks a year only, maybe allowing a few peoples to access SSH for sFTP file uploading and retrieving. That'll be protected with SSH key no matter what, with a password and I'll filter and only allow some IPs for that matters.
- In the end, only allow what is needed for a server acting also as a workstation, I can't blindly drop/reject every output, I still have to be able to use my server/workstation .

For default values priorities, I still do not understand yet how it could be important, simply it allows some traffic to get taken care of before other, I guess ?

For ingress, I'm not quite sure what it does actually.

From the netfilter wiki:

[nicop]

[kgdrenefort]

Hello and thanks for your reply.

So, I simply added a very few comments to the code below:

[nicop]