Nftables Tables, Chains, and Rules

In the realm of network filtering, understanding the components of nftables—tables, chains, and rules—is crucial for effectively managing packet flow and applying security measures. Each of these components plays a distinct yet interconnected role, facilitating a flexible and powerful framework for firewall management. Let’s delve deep into what tables, chains, and rules are in the context of nftables, how they interact, and some practical examples of their usage.

Tables in Nftables

Tables are the fundamental building blocks of nftables. They serve as containers that hold chains and rules, essentially acting as categories to organize your filtering rules based on the desired networking objective. You can think of tables as folders in a file system, where each folder can contain multiple documents (chains and rules).

Types of Tables

Nftables supports multiple table types, which classify the kind of traffic the rules will filter. The main types are:

  1. Filter Table: The primary table for filtering packets. By default, most blocking or allowing traffic rules will reside here.

  2. Nat Table: Used for Network Address Translation. This table typically contains rules that alter the source or destination address of packets.

  3. Mangle Table: This table is for specialized packet modifications, such as changing packet headers for quality of service (QoS) purposes.

  4. Raw Table: The raw table is used for configurations that affect how connection tracking is handled.

  5. Security Table: Supported in some contexts, it's designed to manage security policies.

Creating a Table

To create a table, you can use the nft command as follows:

nft add table ip filter

This command creates a new table named filter for IPv4 protocols. You might also create a table for IPv6 by replacing ip with ip6.

Chains in Nftables

Chains are the second layer of the nftables architecture, serving as the mechanisms that define how packets will be processed within the tables. Chains can be thought of as workflows where packets are directed to be examined against a series of rules.

Types of Chains

  1. Input Chain: Manages packets destined for the local system.

  2. Output Chain: Controls packets originating from the local system.

  3. Forward Chain: Handles packets that are being routed to other systems and not destined for the local machine.

  4. Prerouting Chain: Allows alterations to packets before they are routed.

  5. Postrouting Chain: Responsible for changes to packets after the routing decision has been made.

Creating a Chain

To add a chain, use the following command:

nft add chain ip filter input { type filter hook input priority 0; }

In this example, a new input chain is added to the filter table. The type defines the type of the chain, hook specifies where the chain will be invoked (e.g., when packets enter the system), and priority determines the order in which chains are evaluated.

Rules in Nftables

Rules are the specific conditions applied within chains that dictate how packets should be treated. Each rule consists of criteria that packets must match before the specified action is applied, such as accepting, dropping, or logging the packets.

Structure of a Rule

A rule in nftables can be expressed in different forms depending on what conditions and actions you want to deploy:

  • Match criteria: Defines what packets will be evaluated (e.g., source IP, destination port).
  • Actions: What happens to matching packets (e.g., accept, drop, log).

Example of a Rule

To add a rule that drops all incoming traffic from a specific IP address, you can use:

nft add rule ip filter input ip saddr 192.168.1.10 drop

Here, ip saddr 192.168.1.10 is the match criteria, and drop is the action that will be applied to matching packets.

Rule Processing Order

When packets flow through the nftables framework, their journey begins with tables, moves through chains, and finally matches against rules. Each element follows a top-down approach, which means as packets are checked against rules in a chain, the first matching rule will dictate the outcome. This order is critical as it can significantly impact your network security and management.

Interaction between Tables, Chains, and Rules

The interplay between tables, chains, and rules in nftables is what makes it a powerful tool for managing network traffic.

  1. Tables categorize packets based on function (filtering, NAT, etc.), allowing for structured organization of rules.

  2. Chains within those tables define workflows or paths that packets must navigate, ensuring efficient processing based on conditions relevant to the system.

  3. Rules act as decision nodes. Each packet examined is based on predefined conditions and actions governed by the rules. Multiple rules can exist in a chain, and they are evaluated in sequence until a match is found.

Example Scenario

Let’s illustrate this concept with a practical example. Consider a local server that you want to protect from unauthorized access while allowing legitimate users to connect.

First, you would create a filter table:

nft add table ip filter

Next, you would create an input chain to manage incoming packets:

nft add chain ip filter input { type filter hook input priority 0; }

Now, you can add rules to allow established connections and deny others:

nft add rule ip filter input ct state established,related accept
nft add rule ip filter input reject

In this scenario, the first rule allows already established connections; if a packet doesn’t meet this condition, it is rejected according to the second rule.

Conclusion

Understanding tables, chains, and rules in nftables is essential for setting up an effective network filtering system. By organizing these components logically and using them judiciously, you can create sophisticated filtering setups that suit various scenarios, from basic packet filtering to advanced network security configurations.

Mastering how to create and manage tables, chains, and rules will empower you to wield the full potential of nftables, enhancing your network's security and functionality while maintaining efficiency in packet processing. Happy filtering!