Howto: Set up a basic nftables firewall (Buster)

Share your own howto's etc. Not for support questions!

Howto: Set up a basic nftables firewall (Buster)

Postby Hallvor » 2019-10-05 14:44

Who is this for?
This is a basic firewall for desktop computers and aimed at beginners.

What will it result in?
* An extra layer of security.
* Your computer will not respond to pings or portscans. It will behave as if it is not there at all.
* Your services will be unreachable. You choose when you want to expose them to the Internet.
* All outgoing traffic is open. (This is OK for most users, but if you want top notch firewall security, you should restrict outgoing traffic as well.)

Let's do this

Remove all traces of Iptables and flush all iptables rules:

Code: Select all
# iptables -F && apt remove iptables iptables-persistent

Nftables should be installed by default, but just in case...
Code: Select all
# apt install nftables

We can see that there are no rules by pressing

Code: Select all
# nft list ruleset

We will now copy the nftables configuration file to the correct location:
Code: Select all
# cp /usr/share/doc/nftables/examples/workstation.nft /etc/nftables.conf

Now we will edit the file:

Code: Select all
# nano /etc/nftables.conf

It will look like this:

Code: Select all
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # accept neighbour discovery otherwise IPv6 connectivity breaks.
                ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

                # count and drop any other traffic
                counter drop

The default configuration file will allow all traffic to the loopback interface, allow all traffic originating from your desktop and drop everything else. This means that even pings from your own network will not get a response. (Yes, I have tested.)

It is not necessary to open port 22 unless you want to SSH into it, and 80 and 443 do not need to be opened to browse the web. It will work just fine with those ports closed.

Edit the file if needed, and save it by pressing Control + x and then y to exit.

Enabling and starting the firewall

Enable start on boot

Code: Select all
# systemctl enable nftables.service

Start nftables now

Code: Select all
# systemctl start nftables.service

Check that everything is OK

Code: Select all
# nft list ruleset

It should look like this:
Code: Select all
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                iif "lo" accept
                ct state established,related accept
                ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
                counter packets 410 bytes 31247 drop

You can also try pinging your computer, and there should be a 100% packet loss. Replace with your internal address, for instance:

Code: Select all
ping -c3 192.168.1.x
PING 192.168.1.x (192.168.1.x) 56(84) bytes of data.

--- 192.168.1.x ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 50ms

It works.
Lenovo Thinkpad T440S, Intel Core i7-4600U CPU @ 2.10GHz, 8 GB RAM, 256 GB SSD, Debian Buster (KDE)
Lenovo Thinkpad X240, Intel Core i5-4300U CPU @ 2.90GHz, 8 GB RAM, 120 GB SSD, Debian Buster (KDE)
User avatar
Posts: 991
Joined: 2009-04-16 18:35
Location: Norway

Re: Howto: Set up a basic nftables firewall (Buster)

Postby None1975 » 2019-12-24 12:25

Thank you for sharing it. Works as they should.
User avatar
Posts: 981
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius

Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 5 guests