%general-entities; ]> nftables The nftables package, intended to be the successor to , provides a low-level netlink programming interface (API), and userspace uitlities for the in-kernel nf_tables subsystem. &lfs90_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &nftables-md5sum; Download size: &nftables-size; Estimated disk space required: &nftables-buildsize; Estimated build time: &nftables-time; nftables Dependencies Required Recommended (for JSON rules table support) Optional and Optional (runtime) contrack-tools nfacct ulogd User Notes: Enable the following options in the kernel configuration and recompile the kernel if necessary (add any additional nf_tables features as needed): [*] Networking support [CONFIG_NET] ---> Networking options ---> [*] Network packet filtering framework (Netfilter) [CONFIG_NETFILTER] ---> Core Netfilter Configuration ---> <*> * protocol support [CONFIG_NF_CONNTRACK_*] <*> Netfilter nf_tables support [CONFIG_NF_TABLES] [*] Netfilter nf_tables * support [CONFIG_NF_TABLES_*] Include any connection tracking protocols that will be used, and any protocols that you wish to use for match suppport under the "Core Netfilter Configuration" section. Additionally, include any "Netfilter nf_tables * module" that will be used under the "Netfilter nf_tables support" section. Install nftables by running the following commands: ./configure --prefix=/usr \ --sbindir=/sbin \ --sysconfdir=/etc \ --with-json \ --with-python-bin=/usr/bin/python3 && make This package does not come with a test suite. Now, as the root user: make install && mv /usr/lib/libnftables.so.* /lib && ln -sfv ../../lib/$(readlink /usr/lib/libnftables.so) /usr/lib/libnftables.so --with-json: build with support for JSON rules. Omit if is not available. --with-python-bin=/usr/bin/python3: force use of Python3. --enable-man-doc: build man pages if is installed (required if adding json support). --with-xtables: build with libxtables support. mv -v /usr/lib/nftables.so.* ...: Move shared libraries into /lib so they are available before /usr is mounted. If you intend to use to configure your firewall rules, you should not use the example configuration provided here, nor should you enable the bootscript. systemd unit. A network Firewall has two interfaces, one connected to an intranet, in this example LAN1, and one connected to the Internet, here WAN1. You will need to adjust these value to match your particular system. To provide the maximum security for the firewall itself, make sure that there are no unnecessary servers running on it such as X11 et al. As a general principle, the firewall itself should not access any untrusted service (think of a remote server giving answers that makes a daemon on your system crash, or even worse, that implements a worm via a buffer-overflow). In the following example configuration, LAN1 is used for the internal LAN interface, and WAN1 is used for the external interface connected to the Internet. You will need to replace these values with appropriate interface names for your system. cat > /etc/nftables/nftables.conf << "EOF" #!/sbin/nft -f # You're using the example configuration for a setup of a firewall # from Beyond Linux From Scratch. # # This example is far from being complete, it is only meant # to be a reference. # # Firewall security is a complex issue, that exceeds the scope # of the configuration rules below. # # You can find additional information # about firewalls in Chapter 4 of the BLFS book. # https://www.&lfs-domainname;/blfs # Drop all existing rules flush ruleset # Filter for both ip4 and ip6 (inet) table inet filter { # filter incomming packets chain input { # Drop everything that doesn't match policy type filter hook input priority 0; policy drop; # accept packets for established connections ct state { established, related } accept # Drop packets that have a connection state of invalid ct state invalid drop # Allow connections to the loopback adapter iifname "lo" accept # Allow connections to the LAN1 interface iifname "LAN1" accept # Accept icmp requests ip protocol icmp accept # Allow ssh connections on LAN1 iifname "LAN1" tcp dport ssh accept # Drop everything else drop } # Allow forwarding for external connections to WAN1 chain forward { # Drop if it doesn't match policy type filter hook forward priority 0; policy drop; # Accept connections on WAN1 oifname "WAN1" accept # Allow forwarding to another host via this interface # Uncomment the following line to allow connections # ip daddr 192.168.0.2 ct status dnat accept # Allow established and related connections iifname "WAN1" ct state { established, related } accept } # Filter output traffic chain output { # Allow everything outbound type filter hook output priority 0; policy accept; } } # Allow NAT for ip protocol (both ip4 and ip6) table ip nat { chain prerouting { # Accept on inbound interface for policy match type nat hook prerouting priority 0; policy accept; # Accept http and https on 192.168.0.2 # Uncomment the following line to allow http and https #iifname "WAN1" tcp dport { http, https } dnat to 192.168.0.2 } chain postrouting { # accept outbound type nat hook postrouting priority 0; policy accept; # Masquerade on WAN1 outbound oifname "WAN1" masquerade } } EOF With this configuration your intranet should be reasonably secure against external attacks. No one should be able to setup a new connection to any internal service not configured above. There are several other examples in the /etc/nftables directory. To set up the nftables firewall at boot, install the /etc/rc.d/init.d/nftables init script included in the package. To set up the nftables firewall at boot, install the nftables.service unit included in the package. nftables make install-nftables Installed Programs Installed Libraries Installed Directories nft libnftables.{a,so} /etc/nftables Short Descriptions nft command line interface for the nf_tables subsystem. nft libnftables.{a,so} provides functions for manipulating the nf_tables subsystem. libnftables.so