Howto: Set up a basic nftables firewall (Buster)

Share your own howto's etc. Not for support questions!

Howto: Set up a basic nftables firewall (Buster)

Postby Hallvor » 2019-10-05 14:44

Who is this for?
This is a basic firewall for desktop computers and aimed at beginners.

What will it result in?
* An extra layer of security.
* Your computer will not respond to pings or portscans. It will behave as if it is not there at all.
* Your services will be unreachable. You choose when you want to expose them to the Internet.
* All outgoing traffic is open. (This is OK for most users, but if you want top notch firewall security, you should restrict outgoing traffic as well.)

Let's do this

Remove all traces of Iptables and flush all iptables rules:

Code: Select all
# iptables -F && apt remove iptables iptables-persistent


Nftables should be installed by default, but just in case...
Code: Select all
# apt install nftables


We can see that there are no rules by pressing

Code: Select all
# nft list ruleset


We will now copy the nftables configuration file to the correct location:
Code: Select all
# cp /usr/share/doc/nftables/examples/workstation.nft /etc/nftables.conf


Now we will edit the file:

Code: Select all
# nano /etc/nftables.conf


It will look like this:

Code: Select all
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # accept neighbour discovery otherwise IPv6 connectivity breaks.
                ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

                # count and drop any other traffic
                counter drop
        }
}


The default configuration file will allow all traffic to the loopback interface, allow all traffic originating from your desktop and drop everything else. This means that even pings from your own network will not get a response. (Yes, I have tested.)

It is not necessary to open port 22 unless you want to SSH into it, and 80 and 443 do not need to be opened to browse the web. It will work just fine with those ports closed.

Edit the file if needed, and save it by pressing Control + x and then y to exit.

Enabling and starting the firewall


Enable start on boot

Code: Select all
# systemctl enable nftables.service


Start nftables now

Code: Select all
# systemctl start nftables.service


Check that everything is OK

Code: Select all
# nft list ruleset


It should look like this:
Code: Select all
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                iif "lo" accept
                ct state established,related accept
                ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
                counter packets 410 bytes 31247 drop
        }
}


You can also try pinging your computer, and there should be a 100% packet loss. Replace with your internal address, for instance:

Code: Select all
ping -c3 192.168.1.x
PING 192.168.1.x (192.168.1.x) 56(84) bytes of data.

--- 192.168.1.x ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 50ms


It works.
Lenovo ThinkPad T440S, Intel Core i7-4600U CPU @ 2.10GHz, 8 GB RAM, 256 GB SSD, Debian Buster (KDE)
Lenovo ThinkPad X240, Intel Core i5-4300U CPU @ 2.90GHz, 8 GB RAM, 120 GB SSD, Debian Buster (KDE)
User avatar
Hallvor
 
Posts: 1030
Joined: 2009-04-16 18:35
Location: Norway

Re: Howto: Set up a basic nftables firewall (Buster)

Postby None1975 » 2019-12-24 12:25

Thank you for sharing it. Works as they should.
OS: Debian 10.3 Buster / WM: twm
Debian Wiki | DontBreakDebian, My config files in github
User avatar
None1975
 
Posts: 989
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius

Re: Howto: Set up a basic nftables firewall (Buster)

Postby duhok1 » 2020-03-12 00:20

Hallvor wrote:
You can also try pinging your computer, and there should be a 100% packet loss. Replace with your internal address, for instance:

Code: Select all
ping -c3 192.168.1.x
PING 192.168.1.x (192.168.1.x) 56(84) bytes of data.

--- 192.168.1.x ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 50ms


It works.


I am getting 100% received pinging my local IP (192.168.0.xx). Appreciate your input.
duhok1
 
Posts: 2
Joined: 2020-03-12 00:15

Re: Howto: Set up a basic nftables firewall (Buster)

Postby Hallvor » 2020-03-12 05:19

What is the output of the following?

Code: Select all
# nft list ruleset


Code: Select all
# systemctl status nftables.service
Lenovo ThinkPad T440S, Intel Core i7-4600U CPU @ 2.10GHz, 8 GB RAM, 256 GB SSD, Debian Buster (KDE)
Lenovo ThinkPad X240, Intel Core i5-4300U CPU @ 2.90GHz, 8 GB RAM, 120 GB SSD, Debian Buster (KDE)
User avatar
Hallvor
 
Posts: 1030
Joined: 2009-04-16 18:35
Location: Norway

Re: Howto: Set up a basic nftables firewall (Buster)

Postby duhok1 » 2020-03-12 12:56

Hallvor wrote:What is the output of the following?

Code: Select all
# nft list ruleset


Code: Select all
# systemctl status nftables.service


Code: Select all
table inet filter {
   chain input {
      type filter hook input priority filter; policy accept;
      iif "lo" accept
      ct state established,related accept
      ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
      counter packets 2 bytes 112 drop
   }
}


Code: Select all
● nftables.service - Netfilter Tables
     Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
     Active: active (exited) since Thu 2020-03-12 09:38:25 EDT; 6min ago
       Docs: man:nft(8)
    Process: 807 ExecStart=/usr/bin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
   Main PID: 807 (code=exited, status=0/SUCCESS)

Mar 12 09:38:25 cheebo systemd[1]: Starting Netfilter Tables...
Mar 12 09:38:25 cheebo systemd[1]: Finished Netfilter Tables.
duhok1
 
Posts: 2
Joined: 2020-03-12 00:15

Re: Howto: Set up a basic nftables firewall (Buster)

Postby Hallvor » 2020-03-12 14:00

It is both running and dropping traffic. Unless you have altered the default settings, it should work.
Lenovo ThinkPad T440S, Intel Core i7-4600U CPU @ 2.10GHz, 8 GB RAM, 256 GB SSD, Debian Buster (KDE)
Lenovo ThinkPad X240, Intel Core i5-4300U CPU @ 2.90GHz, 8 GB RAM, 120 GB SSD, Debian Buster (KDE)
User avatar
Hallvor
 
Posts: 1030
Joined: 2009-04-16 18:35
Location: Norway


Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable