Howto: Set up a basic nftables firewall (Buster)

Share your own howto's etc. Not for support questions!

Howto: Set up a basic nftables firewall (Buster)

Postby Hallvor » 2019-10-05 14:44

Who is this for?
This is a basic firewall for desktop computers and aimed at beginners.

What will it result in?
* An extra layer of security.
* Your computer will not respond to pings or portscans. It will behave as if it is not there at all.
* Your services will be unreachable. You choose when you want to expose them to the Internet.
* All outgoing traffic is open. (This is OK for most users, but if you want top notch firewall security, you should restrict outgoing traffic as well.)

Let's do this

Remove all traces of Iptables and flush all iptables rules:

Code: Select all
# iptables -F && apt remove iptables iptables-persistent


Nftables should be installed by default, but just in case...
Code: Select all
# apt install nftables


We can see that there are no rules by pressing

Code: Select all
# nft list ruleset


We will now copy the nftables configuration file to the correct location:
Code: Select all
# cp /usr/share/doc/nftables/examples/workstation.nft /etc/nftables.conf


Now we will edit the file:

Code: Select all
# nano /etc/nftables.conf


It will look like this:

Code: Select all
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # accept neighbour discovery otherwise IPv6 connectivity breaks.
                ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

                # count and drop any other traffic
                counter drop
        }
}


The default configuration file will allow all traffic to the loopback interface, allow all traffic originating from your desktop and drop everything else. This means that even pings from your own network will not get a response. (Yes, I have tested.)

It is not necessary to open port 22 unless you want to SSH into it, and 80 and 443 do not need to be opened to browse the web. It will work just fine with those ports closed.

Edit the file if needed, and save it by pressing Control + x and then y to exit.

Enabling and starting the firewall


Enable start on boot

Code: Select all
# systemctl enable nftables.service


Start nftables now

Code: Select all
# systemctl start nftables.service


Check that everything is OK

Code: Select all
# nft list ruleset


It should look like this:
Code: Select all
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                iif "lo" accept
                ct state established,related accept
                ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
                counter packets 410 bytes 31247 drop
        }
}


You can also try pinging your computer, and there should be a 100% packet loss. Replace with your internal address, for instance:

Code: Select all
ping -c3 192.168.1.x
PING 192.168.1.x (192.168.1.x) 56(84) bytes of data.

--- 192.168.1.x ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 50ms


It works.
Lenovo Thinkpad T440S, Intel Core i7-4600U CPU @ 2.10GHz, 8 GB RAM, 256 GB SSD, Debian Buster (KDE)
User avatar
Hallvor
 
Posts: 947
Joined: 2009-04-16 18:35
Location: Norway

Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 1 guest

fashionable