Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
8 avril 2014 2 08 /04 /avril /2014 14:26

 

We'll see here how to setup nftables.
We'll be using Ubuntu GNOME 14.04 (Trusty Tahr) ( Beta / Daily Build : March 17 2014 here ) because of the need for a 3.13 Linux kernel to support NFtables.

Do note that using a beta software is not fit for a production environment.

 

All nft commands need to be root to function, so either use sudo or sudo -s. Through this post I'll assume we are root.

 

NF1e

 

 

1. Ubuntu-Gnome 14.04 environment quick-help :

 

To setup keyboard :

 

activities >
search > keyboard layout settings > language > add [ your language ]
select [ your language ] on the right taskbar

 

To launch a terminal :

 

search > terminal
    or
bottom left side : show applications > utilities > Terminal

    or

CTRL+ALT+T

 

 

2. Check of OS Kernel version ( 3.13 needed )

uname -r
uname -a

 

3. Check of Modules presence


sudo -s
modprobe nf_tables                          ( should list no error message )
lsmod | grep nf_tables                      ( should list nf_tables module )
dmesg                                                  ( should list nf_tables near the end )

modprobe nf_tables_ipv4                 ( sshould list no error message )
modprobe nf_tables_ipv6                 ( should list no error message )
lsmod | grep nf_tables                       ( should list nf_tables_ipv4 and nf_tables_ipv6 modules )

 

4. nftables installation

we have to install the user-level softwares.

nftables requires libmnl and libnftnl

 

 

sudo -s
apt-get update

apt-get install libmnl0                ( normally already installed )
apt-get install libmnl-dev

 

 

we install the compiling tools :

 

apt-get install git
apt-get install autoconf
apt-get install libtool
apt-get install pkg-config
apt-get install flex
apt-get install bison
apt-get install libgmp3-dev
apt-get install libreadline6-dev
apt-get install autogen

apt-get install docbook2x docbook-utils
( optional, will generate a .pdf file /home/[user]/nftables/doc/nftables.pdf )

 

we can finally install libnftnl and nftables :

 

git clone git://git.netfilter.org/libnftnl
cd libnftnl
sh autogen.sh
./configure
make
make install
ldconfig

cd ..
git clone git://git.netfilter.org/nftables
cd nftables
sh autogen.sh
./configure
make
make install

 

5. Functionning tests
 

NF1e

 

 

we load the template ipv4 table :
nft -f /home/[user]/nftables/files/nftables/ipv4-filter

 

we should get no error.

 

we list the table :
nft list table filter

 

we should get an output like this :
 
NF1a

 

6. Nft Basic commands and first rule

 

 

here are the basic nft commands :

 

nft -h                                                                                                displays help
nft -f /home/[user]/nftables/files/nftables/ipv4-filter                loads the ipv4 template table
nft -f /home/[user]/nftables/files/nftables/ipv6-filter                loads the ipv6 template table
nft list table filter                                                                            lists the ipv4 table 'named  filters '
nft list table ip6 filter                                                                     lists the ipv6 table named ' filters '

we add a rule that counts ipv4 outputs to IP 192.168.0.1 :
nft add rule filter output ip daddr 192.168.0.1 counter       

we add a rule that counts tcp outputs to port 22 ( ssh ) :
nft add rule filter output tcp dport ssh counter

 

nft list table filter

 

It should shows the added rules :
 
NF1b

do note these alternatives syntaxes to rule listing :
nft list table filter -n                                   ( lists ipv4 table filters without DNS resolution )
nft list table filter -nn                                 ( lists ipv4 table filters without DNS resolution or port resolution )

we test these two rules :


ping -c 4 192.168.0.1
telnet 192.168.0.1 22

 

nft -nn list table filter

the packets should have been recorded :
 

NF1d

 

NFTables is here  working OK.

let's finally see how to flush the filter tables :
nft flush table filter
nft flush table ip6 filter

Do note that the tables configuration is volatile, it anyway won't survive a reboot.


7. Nftables IPv6 Functionning Test

we create the same two test rules for ipv6 :

 

nft add rule ip6 filter output ip6 daddr 2001:db8:0:0::1 counter
nft add rule ip6 filter output tcp dport ssh counter
nft list table ip6 filter

we test these two rules :
ping6 -c 4 2001:db8:0:0::1
telnet 2001:db8:0:0::1 22
nft -nn list table filter

the packets should have been recorded :

 

NF1f 

IPv6 NFTables is here working OK.


8. Notes

(1) to load a table config file :


Use full path to a config file. Some IPv4 and IPv6 table templates are located here :

/home/[user]/nftables/files/nftables/ipv4-filter
/home/[user]/nftables/files/nftables/ipv6-filter
/usr/local/etc/nftables/ipv4-filter
/usr/local/etc/nftables/ipv6-filter

commands :
nft -f /home/[user]/nftables/files/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv4-filter

nft -f /home/[user]/nftables/files/nftables/ipv6-filter
nft -f /usr/local/etc/nftables/ipv6-filter

as neither of these files are launched at boottime by NFtables, we can modify them at will, or used any config file placed in any other location.


(2) to delete rules by chains :

nft delete rule filter input
nft delete rule filter output
nft delete rule filter forward

nft delete rule ip6 filter input
nft delete rule ip6 filter output
nft delete rule ip6 filter forward


(3) to use a bash files to load a ruleset :

gedit ruleset1.sh :
---------------------------------------------------------
#!/bin/bash

nft flush table filter
nft flush table ip6 filter
nft add rule filter output ip daddr 192.168.0.1 counter   
nft add rule filter output tcp dport ssh counter
nft add rule ip6 filter output ip6 daddr 2001:db8:0:0::1 counter
nft add rule ip6 filter output tcp dport ssh counter

exit 0
------------------------------------------------------------
chmod +x ruleset1.sh

we can now easily load our ruleset doing :
sudo sh ruleset1.sh

nb : There are other ways to load / save rulesets. Also there are special issues related to boottime ruleset loading. We'll see them in the following parts.

nb : beware of Windows / Linux text format problems when importing text files/config files from a Windows OS.
use cat on terminal, then copy and paste in a fresh new file

 

Partager cet article

Repost 0
Published by computer outlines - dans Nftables
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens