In Red Hat Enterprise Linux 8 the network security dynamic duo Firewalld and NFTables make their new team debut.
NFTables (replacing IPTables) is a new subsystem of the Linux kernel which provides filtering and classification of network packets, datagrams, or frames. This software provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool.
The default firewall management tool in RHEL 8 continues to be firewalld (firewall-cmd), which gained support for nftables with version 0.6.0.
|
ℹ️
|
For 99% of all use cases the firewalld tools are the best choice. For this lab however we are trying to introduce nft and demonstrate some differences to the former iptables.
|
For these exercises, you will be using the host node2 as user root.
From host bastion, ssh to node2.
ssh node2Use sudo to elevate your priviledges.
sudo -iVerify that you are on the right host for these exercises.
workshop-nftables-checkhost.shYou are now ready to proceed with these exercises.
Using nft, show the current state of the network tables.
nft list tablestable ip filter table ip6 filter table bridge filter table ip security table ip raw table ip mangle table ip nat table ip6 security table ip6 raw table ip6 mangle table ip6 nat table bridge nat table inet firewalld table ip firewalld table ip6 firewalld
Using nft, show the current state of the network chains.
# nft list chainstable ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
...<snip>...
|
ℹ️
|
The output for this can be VERY long. You can optionally use nft list chains | less if you would like a pageable view of the output.
|
nft insert rule ip filter INPUT tcp dport http acceptVerify the rule change.
nft -n -a list table ip filtertable ip filter { # handle 1
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
tcp dport http accept # handle 4
}
chain FORWARD { # handle 2
type filter hook forward priority 0; policy accept;
}
chain OUTPUT { # handle 3
type filter hook output priority 0; policy accept;
}
}
Remember the rule handle, we will use it next to delete the rule
nft delete rule filter INPUT handle 4Verify the rule change.
nft -n -a list table ip filtertable ip filter { # handle 1
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
}
chain FORWARD { # handle 2
type filter hook forward priority 0; policy accept;
}
chain OUTPUT { # handle 3
type filter hook output priority 0; policy accept;
}
}
nft insert rule ip filter INPUT tcp dport { ssh, http, https, 8181 } acceptVerify the new rules.
nft -n -a list table ip filtertable ip filter { # handle 1
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
tcp dport { ssh, http, https, 8181 } accept # handle 6
}
chain FORWARD { # handle 2
type filter hook forward priority 0; policy accept;
}
chain OUTPUT { # handle 3
type filter hook output priority 0; policy accept;
}
}
|
|
DO NOT do this step unless you successfully completed "Add Multiple Rules at Once" above. You will get locked out of your network connection to node2.example.com if you have not. |
Set the INPUT chain default policy to drop all traffic not specifically accepted.
nft add chain ip filter INPUT { type filter hook input priority 0\; policy drop\; }Verify Increased Security
nft -n -a list table ip filtertable ip filter { # handle 1
chain INPUT { # handle 1
type filter hook input priority 0; policy drop;
tcp dport { ssh, http, https, 8181 } accept # handle 6
}
chain FORWARD { # handle 2
type filter hook forward priority 0; policy accept;
}
chain OUTPUT { # handle 3
type filter hook output priority 0; policy accept;
}
}
Remove rules added during this exercise. We begin by setting the INPUT chain default policy to accept all traffic.
nft add chain ip filter INPUT { type filter hook input priority 0\; policy accept\; }Now find the handle and remove the rule currently allowing access for SSH, HTTP, HTTPS, and 8181
nft -n -a list table ip filtertable ip filter { # handle 1
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
tcp dport { ssh, http, https, 8181 } accept # handle 6
}
chain FORWARD { # handle 2
type filter hook forward priority 0; policy accept;
}
chain OUTPUT { # handle 3
type filter hook output priority 0; policy accept;
}
}
In the output above, we determine the handle for our rule is '6'.
nft delete rule filter INPUT handle 6|
ℹ️
|
You can also use the 'flush' option to clear an entire table: nft flush table ip filter
|
Verify that everything is back to normal
nft -n -a list table ip filtertable ip filter { # handle 1
chain INPUT { # handle 1
type filter hook input priority 0; policy accept;
}
chain FORWARD { # handle 2
type filter hook forward priority 0; policy accept;
}
chain OUTPUT { # handle 3
type filter hook output priority 0; policy accept;
}
}
You can find more information: