nftables wiki - User contributions [en]

Talk:Rate limiting matchings

2020-06-16T18:51:41Z

Glloyd: Adding some questions on ICMP, IGMP, and rate limiting

(1) I'm not an expert so more examples on rate-limited ICMP rules would be very helpful.

(2) Which ICMP packet types should be allowed? All? Or only certain types?

(3) Is IGMP ok to allow all packets on?

I've seen rules like this but I don't know enough to understand what the impact would be. I also don't fully understand what 'meta l4proto' is doing (From ArchWiki: https://wiki.archlinux.org/index.php/Nftables)

<source lang="bash">
meta l4proto ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"

meta l4proto icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"

ip protocol igmp accept comment "Accept IGMP"
</source>

Main Page

2020-06-16T18:04:46Z

Glloyd: Add server example

Welcome to the ''nftables'' HOWTO documentation page. Here you will find documentation on how to build, install, configure and use nftables.

If you have any suggestion to improve it, please send your comments to Netfilter users mailing list <netfilter@vger.kernel.org>.

= Introduction =

* [[What is nftables?]]
* [[Why nftables?]]
* [[Main differences with iptables]]
* [[Netfilter hooks]] and integration with existing Netfilter components.
* [[Adoption]]
* [[Legacy xtables tools]]
* [[How to obtain help/support]]

= Getting started =

* [[Building and installing nftables from sources]]
* Using [[nftables from distributions]]
* [[Troubleshooting|Troubleshooting and FAQ]]
* [[Quick reference-nftables in 10 minutes|Quick reference, nftables in 10 minutes]]
* [[nftables families|Understanding nftables families]]

= Basic operation =

* [[Configuring tables]]
* [[Configuring chains]]
* [[Simple rule management]]
* [[Atomic rule replacement]]
* [[Error reporting from the command line]]
* [[Building rules through expressions]]
* [[Operations at ruleset level]]
* [[Monitoring ruleset updates]]
* [[Scripting]]
* [[Ruleset debug/tracing]]
* [[Moving from iptables to nftables]]
* [[Moving from ipset to nftables]]

= Supported selectors for packet matching =

* [[Matching packet header fields]]
* [[Matching packet metainformation]]
* [[Matching connection tracking stateful metainformation]]
* [[Rate limiting matchings]]
* [[Routing information]]

= Possible actions on packets =

* [[Accepting and dropping packets]]
* [[Jumping to chain]]
* [[Rejecting traffic]]
* [[Logging traffic]]
* [[Performing Network Address Translation (NAT)]]
* [[Setting packet metainformation]]
* [[Queueing to userspace]]
* [[Duplicating packets]]
* [[Mangle packet header fields]]
* [[Mangle TCP options]]
* [[Counters]]
* [[Load balancing]]
* [[Setting packet connection tracking metainformation]]

Note that, unlike ''iptables'', you can perform several actions in one single rule.

= Advanced data structures for performance packet classification =

You will have to redesign your rule-set to benefit from these new nice features:

* [[Sets]]
* [[Dictionaries]]
* [[Intervals]]
* [[Maps]]
* [[Concatenations]]
* [[Meters|Metering]] (formerly known as flow tables before nftables 0.8.1 release)
* [[Updating sets from the packet path]]
* [[Element timeouts]]
* [[Math operations]]
* [[Stateful objects]]
* [[Flowtable]] (the fastpath network stack bypass)

If you are already using [[ipset]] in your ''iptables'' rule-set, that transition may be a bit more simple to you.

= Examples =

* [[Simple ruleset for a workstation]]
* [[Simple ruleset for a server]]
* [[Bridge filtering]]
* [[Multiple NATs using nftables maps]]
* [[Classic perimetral firewall example]]
* [[Port knocking example]]
* [[Classification to tc structure example]]
* [[Using configuration management systems]] (like puppet, ansible, etc)
* [[GeoIP matching]]

= Development =

Check [[Portal:DeveloperDocs|Portal:DeveloperDocs - documentation for netfilter developers]].

Some hints on the general development progress:

* [[List of updates since Linux kernel 3.13]]
* [[Supported features compared to xtables|Supported features compared to {ip,ip6,eb,arp}tables]]
* [[List of available translations via iptables-translate tool]]

= External links =

Watch some videos:

* Watch [https://www.youtube.com/watch?v=FXTRRwXi3b4 Getting a grasp of nftables], thanks to [https://www.nluug.nl/index-en.html NLUUG association] for recording this.
* Watch [https://www.youtube.com/watch?v=CaYp0d2wiuU#t=1m47s The ultimate packet classifier for GNU/Linux], thanks to the FSFE for paying my trip to Barcelona and for recommending me as speaker to the KDE Spanish branch.
* [https://www.youtube.com/watch?v=Sy0JDX451ns Florian Westphal - Why nftables?]
* Watch [https://www.youtube.com/watch?v=qXVOA2MKA1s Netdev 2.1 - Netfilter workshop]
* Watch [https://youtu.be/iCj10vEKPrw Netdev 2.2 - Netf‌ilter mini-workshop]
* Watch [https://youtu.be/0hqfzp6tpZo Netdev 0x12 - Netf‌ilter mini-workshop]
* Watch [https://www.youtube.com/watch?v=0wQfSfDVN94 NLUUG - Goodbye iptables, Hello nftables]
* Watch [https://www.youtube.com/watch?v=Uf5ULkEWPL0 LCA2018 - nftables from a user perspective]

Additional documentations and articles:

* Tutorial [https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/ Extending nftables by Xiang Gao]
* Article [http://ral-arturo.org/2017/05/05/debian-stretch-stable-nftables.html New in Debian stable Stretch: nftables]

= Thanks =

To the NLnet foundation for initial sponsorship of this HOWTO:

[https://nlnet.nl https://nlnet.nl/image/logo.gif]

To Eric Leblond, for boostrapping the [https://home.regit.org/netfilter-en/nftables-quick-howto/ Nftables quick howto] in 2013.

Simple ruleset for a server

2020-06-16T18:03:56Z

Glloyd: Create page

Here's a very basic example of the nftables.conf file you might use on a web server. In this example, we have the option to block off all incoming traffic from the server except from "safe" IP ranges. This is handy if your server is behind CloudFlare, Sucuri, or other similar traffic filtering services.

'''Note:''' Initially, this conf allows all inbound traffic until you comment/uncomment the "From approved IP ranges only" section.

= nftables.conf =

<source lang="bash">
#!/usr/sbin/nft -f

flush ruleset

# List all IPs and IP ranges of your traffic filtering proxy source.
define SAFE_TRAFFIC_IPS = {
x.x.x.x/xx,
x.x.x.x/xx,
x.x.x.x,
x.x.x.x
}

table inet firewall {

chain inbound {

# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;

# Allow traffic from established and related packets.
ct state established,related accept

# Drop invalid packets.
ct state invalid drop

# Allow loopback traffic.
iifname lo accept

# Allow all ICMP and IGMP traffic, but enforce a rate limit
# to help prevent some types of flood attacks.
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept

# Allow SSH on port 22.
tcp dport 22 accept

# Allow HTTP(S).
# -- From anywhere
tcp dport { http, https } accept
udp dport { http, https } accept
# -- From approved IP ranges only
# tcp dport { http, https } ip saddr $SAFE_TRAFFIC_IPS accept
# udp dport { http, https } ip saddr $SAFE_TRAFFIC_IPS accept

# Uncomment to allow incoming traffic on other ports.
# -- Allow Jekyll dev traffic on port 4000.
# tcp dport 4000 accept
# -- Allow Hugo dev traffic on port 1313.
# tcp dport 1313 accept

# Uncomment to enable logging of denied inbound traffic
# log prefix "[nftables] Inbound Denied: " flags all counter drop

}

chain forward {

# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;

# Uncomment to enable logging of denied forwards
# log prefix "[nftables] Forward Denied: " flags all counter drop

}

chain outbound {

# Allow all outbound traffic
type filter hook output priority 0; policy accept;

}

}
</source>

Sets

2020-06-16T17:50:04Z

Glloyd: Add set syntax and examples for nftables.conf

''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].

The set elements are internally represented using performance data structures such as hashtables and red-black trees.

= Anonymous sets =

Anonymous sets are those that are:

* Bound to a rule, if the rule is removed, that set is released too.
* They have no specific name, the kernel internally allocates an identifier.
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.

The following example shows how to create a simple set.

<source lang="bash">
% nft add rule ip filter output tcp dport { 22, 23 } counter
</source>

This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.

Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:

<source lang="bash">
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
</source>

Which can be expressed in ''nftables'' with a couple of rules that provide a set:

<source lang="bash">
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
</source>

= Named sets =

You can create the named sets with the following command:

<source lang="bash">
% nft add set ip filter blackhole { type ipv4_addr\;}
</source>

Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in this case. Current maximum name length is 16 characters.

<source lang="bash">
% nft add element ip filter blackhole { 192.168.3.4 }
% nft add element ip filter blackhole { 192.168.1.4, 192.168.1.5 }
</source>

Then, you can use it from the rule:

<source lang="bash">
% nft add rule ip filter input ip saddr @blackhole drop
</source>

Named sets can be updated anytime, so you can add and delete element from them.

== nftables.conf syntax ==

When working with nftables.conf, you can define sets in a number of ways. You can then reference those sets later on using <code>$VARIABLE_NAME</code> notation.

Here are some examples showing sets defined in one line, spanning multiple lines, and sets referencing other sets. The set is then used in a rule to allow incoming traffic from certain IP ranges.

<source lang="bash">
define SIMPLE_SET = { 192.168.1.1, 192.168.1.2 }

define CDN_EDGE = {
192.168.1.1,
192.168.1.2,
192.168.1.3,
10.0.0.0/8
}

define CDN_MONITORS = {
192.168.1.10,
192.168.1.20
}

define CDN = {
$CDN_EDGE,
$CDN_MONITORS
}

# Allow HTTP(S) from approved IP ranges only
tcp dport { http, https } ip saddr $CDN accept
udp dport { http, https } ip saddr $CDN accept
</source>

= Named sets specifications =

Sets specifications are:

* '''type''', is obligatory and determines the data type of the set elements. Supported data types currently are:
** ''ipv4_addr'': IPv4 address
** ''ipv6_addr'': IPv6 address.
** ''ether_addr'': Ethernet address.
** ''inet_proto'': Inet protocol type.
** ''inet_service'': Internet service (read tcp port for example)
** ''mark'': Mark type.
** ''ifname'': Network interface name (eth0, eth1..)

* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v1dv2hv3mv4s"'':

<source lang="bash">
% nft add table ip filter
% nft add set ip filter ports {type inet_service \; timeout 3h45s \;}
</source>

These commands create a table named ''filter'' and add a set named ''ports'' to it, where elements are deleted after 3 hours and 45 seconds of being added.

* '''flags''', the available flags are:
** ''constant'' - set content may not change while bound
** ''interval'' - set contains intervals
** ''timeout'' - elements can be added with a timeout

Multiple flags should be separated by comma:

<source lang="bash">
% nft add set ip filter flags_set {type ipv4_addr\; flags constant, interval\;}
</source>

* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v1dv2hv3mv4s"''.

* '''elements''', initialize the set with some elements in it:

<source lang="bash">
% nft add set ip filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
</source>

This command creates a set name ''daddrs'' with elements ''192.168.1.1'', which stays in it for 10s, and ''192.168.1.2'', which stays for 30s.

* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:

<source lang="bash">
% nft add set ip filter saddrs {type ipv4_addr \; size 2 \;}
</source>

* '''policy''', determines set selection policy. Available values are:
** ''performance'' [default]
** ''memory''

= Listing named sets =

You can list the content of a named set via:

<source lang="bash">
% nft list set ip filter myset
</source>