Basic Nftables Syntax

When working with Nftables, understanding its syntax is essential for effective network traffic management and security. Nftables is designed to replace the older iptables and provides a more flexible and powerful framework for packet filtering, network address translation (NAT), and other network-related tasks. This article will break down the basic commands and syntax structure of Nftables, ensuring you have a solid foundation to build upon when crafting your firewall and network configuration.

Nftables Command Structure

The basic structure of an Nftables command consists of three main elements: the command, the object type, and the operation. Each command can manipulate various objects such as tables, chains, rules, sets, and maps, allowing you to configure your firewall efficiently.

Basic Command Elements

Command: This is the operation you want to perform. Common commands include add, delete, list, and flush.
Object Type: The type of object you want to interact with. Object types include table, chain, rule, set, and map.
Operation: This shows specifically what you're doing with the object, such as defining a rule within a chain or adding a chain to a table.

Example of Command Syntax

Here's a general format for an Nftables command:

nft [<options>] <command> <object-type> <object-name> <operation>

Creating a Table

To get started with Nftables, you'll first want to create a table. A table is the top-level structure where you define chains and rules. You can create a table with the following command:

nft add table ip filter

In this command:

add table: Indicates that you are adding a new table.
ip: Refers to the protocol family, which can be either ip for IPv4 or ip6 for IPv6.
filter: This is the name of the table.

Listing Tables

To view the tables you've created, you can use:

nft list tables

This command displays all the currently defined tables, their names, and associated protocols.

Creating a Chain

Once you have a table, the next step is to define a chain. A chain is a set of rules that packets traverse when they enter or leave a network interface. Here's how to create a chain within the previously defined filter table:

nft add chain ip filter input { type filter hook input priority 0; }

Breaking this down:

add chain: Indicates you're creating a new chain.
ip filter input: This specifies that you're adding a chain named input to the filter table.
{ type filter hook input priority 0; }: This section defines the type of chain, its hook point in the packet processing flow, and its priority.

Adding Rules to a Chain

After creating a chain, you can start adding rules. Rules specify how packets should be treated. To add a rule that drops all incoming traffic from a specific IP address, you would use:

nft add rule ip filter input ip saddr 192.168.1.1 drop

Here's how this command works:

add rule: Indicates you're adding a new rule.
ip filter input: Specifies the chain where the rule will reside.
ip saddr 192.168.1.1: This part matches packets with a source IP address of 192.168.1.1.
drop: This action specifies that the matched packets should be dropped.

Listing Rules

To see the rules within a specific chain, you can execute:

nft list chain ip filter input

This command will display all rules defined under the input chain of the filter table.

More Complex Rule Examples

Nftables allows for more complex conditions in your rules. For instance, you can match both the source IP and the destination port. Here’s how to create a rule that drops incoming traffic from a specific IP address targeted at port 22 (SSH):

nft add rule ip filter input ip saddr 192.168.1.1 tcp dport 22 drop

In this example:

tcp dport 22: Matches packets targeting TCP port 22.

Using Sets

Nftables also supports sets, which allow you to group multiple IPs or ports together to simplify rule management. Here’s how to create a set of IP addresses:

Creating a Set

nft add set ip filter blocked_ips { type ipv4_addr; }

Adding Addresses to the Set

nft add element ip filter blocked_ips { 192.168.1.1, 192.168.1.2 }

Using the Set in a Rule

You can use the set within a rule to drop packets from any IP that’s in the blocked_ips set:

nft add rule ip filter input ip saddr @blocked_ips drop

Flushing Rules and Chains

If you ever need to clear out your rules or chains, you can use the flush command. To flush all rules from the input chain:

nft flush chain ip filter input

To flush an entire table, you would use:

nft flush table ip filter

Deleting Rules, Chains, and Tables

If you need to remove a specific rule, chain, or table, you can do so with the delete command.

Deleting a Rule

To delete the rule we created earlier that drops traffic from 192.168.1.1, you would use:

nft delete rule ip filter input handle <handle-number>

You can find the rule’s handle (identifier) using the list chain command.

Deleting a Chain

To delete the entire input chain:

nft delete chain ip filter input

Deleting a Table

Finally, to delete the table we created earlier:

nft delete table ip filter

Conclusion

Mastering the basic syntax of Nftables is key to effectively managing your network with this powerful tool. With a firm grasp of the commands and structures we've covered, you can create tables, chains, and rules tailored to your network security needs. As you become more familiar with Nftables, you can explore its advanced features, such as stateful rule tracking and various types of matches, which can greatly enhance your network’s protective measures.

Now that you have an introductory understanding of Nftables syntax, you’re well on your way to becoming proficient in network infrastructure management. Happy filtering!

Networking & Infrastructure - Nftables