TL;DR
To transition from iptables to nftables on Debian 13, follow these concise steps to ensure a secure and efficient firewall setup.
Migrating from iptables? If you’re currently using iptables (especially for advanced rate limiting), this guide will help you transition to nftables’ more modern and efficient syntax while maintaining equivalent functionality.
Install nftables: Ensure nftables is installed on your system. If not, install it using:
sudo apt update && sudo apt install nftables # Install nftablesDisable iptables: Before enabling nftables, disable iptables to prevent conflicts:
sudo systemctl stop iptables # Stop iptables service sudo systemctl disable iptables # Disable iptables from starting on bootEnable and start nftables: Enable and start the nftables service:
sudo systemctl enable nftables # Enable nftables to start on boot sudo systemctl start nftables # Start nftables serviceCreate a basic nftables configuration: Create a simple configuration file to allow essential traffic while blocking everything else:
sudo nano /etc/nftables.conf # Open nftables configuration fileAdd the following rules:
table inet filter { chain input { type filter hook input priority 0; policy drop; # Default drop policy iif "lo" accept; # Allow loopback ct state established,related accept; # Allow established connections tcp dport { 22, 80, 443 } accept; # Allow SSH, HTTP, HTTPS } }Load the configuration: Load your nftables rules:
sudo nft -f /etc/nftables.conf # Apply the configurationVerify your rules: Check the active rules to ensure they are set correctly:
sudo nft list ruleset # Display current nftables rules ```text
Caution: Always test your firewall rules to avoid locking yourself out, especially when configuring remote access. Use a console or a secondary connection for safety.
Introduction to nftables
nftables is a modern packet filtering framework that replaces the older iptables, providing a more efficient and flexible way to manage network traffic on Linux systems. Introduced in the Linux kernel 3.13, nftables consolidates the functionalities of iptables, ip6tables, arptables, and ebtables into a single framework, simplifying the management of firewall rules across different protocols.
One of the key advantages of nftables is its use of a single syntax for both IPv4 and IPv6, which reduces complexity and the potential for errors. Additionally, nftables operates with a more efficient data structure, allowing for faster rule processing and better performance under high traffic loads.
To get started with nftables on Debian 13, you first need to ensure that the nftables package is installed. You can do this by running:
sudo apt update
sudo apt install nftables # Install nftables package
Once installed, you can enable and start the nftables service:
sudo systemctl enable nftables # Enable nftables to start on boot
sudo systemctl start nftables # Start nftables service
Before configuring your firewall rules, it’s crucial to set safe defaults. A common practice is to drop all incoming traffic by default and allow only specific services. You can create a basic configuration file at /etc/nftables.conf:
flush ruleset
## Define a new ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop; # Drop all by default
ct state established,related accept # Allow established connections
iif lo accept # Allow loopback interface
tcp dport 22 accept # Allow SSH
# Add more rules as needed
}
}
After saving your configuration, load it with:
sudo nft -f /etc/nftables.conf # Load the nftables configuration
Always remember to test your rules carefully to avoid locking yourself out of the server, especially when configuring remote access.
Installing nftables on Debian 13
To install nftables on your Debian 13 server, follow these steps:
First, ensure your package list is up to date. Open a terminal and run:
sudo apt update # Update the package list
Next, install the `nftables` package:
sudo apt install nftables # Install nftables
After the installation is complete, you can enable and start the nftables service to ensure it runs on boot:
sudo systemctl enable nftables # Enable nftables to start on boot
sudo systemctl start nftables # Start the nftables service
To verify that `nftables` is running, use the following command:
sudo systemctl status nftables # Check the status of the nftables service
You should see an output indicating that the service is active and running. If you encounter any issues, check the logs for more information:
journalctl -xe -u nftables # View logs related to nftables
Before you start configuring `nftables`, it's a good practice to back up any existing firewall rules. If you have `iptables` rules in place, you can save them with:
sudo iptables-save > ~/iptables-backup.txt # Backup existing iptables rules
Once you have confirmed that nftables is installed and running, you can begin creating your firewall rules. Remember to start with safe defaults, such as allowing established connections and blocking all other traffic:
sudo nft add table inet filter # Create a new table
sudo nft add chain inet filter input { type filter hook input priority 0; } # Create an input chain
sudo nft add rule inet filter input ct state established,related accept # Allow established connections
sudo nft add rule inet filter input drop # Drop all other incoming traffic
Always test your configuration in a safe environment before deploying it to production to avoid unintentional lockouts.
## Basic Configuration of nftables
To begin configuring `nftables`, ensure that the `nft` command is available. You can check this by running:
sudo nft --version # Verify nftables installation
If nftables is not installed, you can install it using:
sudo apt update
sudo apt install nftables # Install nftables package
Next, create a basic configuration file. This file will define your firewall rules and can be stored in `/etc/nftables.conf`. Start by creating the file:
sudo nano /etc/nftables.conf # Open the configuration file for editing
Add the following basic configuration to allow established connections and block everything else:
#!/usr/sbin/nft -f
table inet filter {
chain input {
type filter hook input priority 0; policy drop; # Default policy to drop
ct state established,related accept
# Allow loopback traffic
iif "lo" accept
# Allow SSH (port 22)
tcp dport 22 accept
# Log dropped packets (optional)
log prefix "Dropped: " level warning
# Drop everything else
drop
}
}
This configuration sets a default policy of `drop`, allowing only established connections, loopback traffic, and SSH access. Always ensure to allow necessary services while keeping the default policy restrictive.
To apply the configuration, run:
sudo nft -f /etc/nftables.conf # Load the nftables configuration
To ensure nftables starts on boot, enable the service:
sudo systemctl enable nftables # Enable nftables service at boot
sudo systemctl start nftables # Start nftables service
Caution: Always test your firewall rules to avoid locking yourself out, especially when configuring remote access. Consider using a console or a secondary access method to regain control if needed.
## Migrating Existing iptables Rules to nftables
To migrate existing iptables rules to nftables, you can use the `iptables-translate` tool, which is included in the `iptables` package. This tool helps convert iptables rules into their nftables equivalents. Before proceeding, ensure you have a backup of your current iptables rules.
1. **Backup Current iptables Rules**:
```bash
sudo iptables-save > /root/iptables-backup.rules # Backup current iptables rules
```text
2. **Install Required Packages**:
Ensure that the `iptables` and `nftables` packages are installed:
sudo apt update && sudo apt install iptables nftables -y # Install necessary packages
3. **Translate iptables Rules**:
Use `iptables-translate` to convert your rules. For example, if you have a rule like this:
sudo iptables -L -n # List current iptables rules
You can translate it as follows:
sudo iptables-translate -A INPUT -s 192.168.1.0/24 -j ACCEPT # Translate a specific rule
4. **Create nftables Configuration**:
Collect all translated rules and create a new nftables configuration file. For example:
echo “table inet filter {” > /etc/nftables.conf # Start a new nftables config echo " chain input {" » /etc/nftables.conf # Define input chain echo " type filter hook input priority 0;" » /etc/nftables.conf echo " policy accept;" » /etc/nftables.conf echo " # Add translated rules here" » /etc/nftables.conf echo " }" » /etc/nftables.conf echo “}” » /etc/nftables.conf
5. **Load the New Configuration**:
Once your configuration file is ready, load it with:
sudo nft -f /etc/nftables.conf # Load the nftables configuration
6. **Enable nftables on Boot**:
To ensure nftables starts on boot, enable the service:
sudo systemctl enable nftables # Enable nftables service
**Caution**: Always test your new nftables rules in a safe environment before deploying them on production systems. Misconfigurations can lead to loss of connectivity.
## Verification of nftables Rules
To ensure that your nftables rules are correctly applied and functioning as intended, you can use several commands to verify the current configuration and the status of your firewall.
First, check the active nftables ruleset with the following command:
sudo nft list ruleset # Displays the entire ruleset
This command will show you all the tables, chains, and rules currently loaded into nftables. Review the output to confirm that your rules are correctly defined.
To check the status of the nftables service, use:
sudo systemctl status nftables # Checks if the nftables service is running
Ensure that the service is active and running without errors. If you encounter issues, you can restart the service with:
sudo systemctl restart nftables # Restarts the nftables service
For a more focused view, you can list rules for a specific table or chain. For example, to view rules in a specific table:
sudo nft list table ip filter # Replace 'filter' with your table name
If you want to test the rules without affecting the live environment, consider using the `nft` command in a dry-run mode. This allows you to simulate changes:
sudo nft -f /path/to/your/rules.nft # Load rules from a file for testing
Caution: Always back up your current rules before making changes. You can save your current ruleset to a file with:
sudo nft list ruleset > ~/nftables-backup.nft # Backup current ruleset
In case of misconfiguration, you can restore your rules from the backup file:
sudo nft -f ~/nftables-backup.nft # Restore rules from backup
```text
By regularly verifying your nftables rules and maintaining backups, you can ensure a secure and stable firewall configuration on your Debian 13 server.
## Rollback to iptables
To rollback to iptables from nftables on Debian 13, you need to ensure that nftables is disabled and iptables is re-enabled. Follow these steps carefully to avoid disrupting your firewall configuration.
First, stop and disable the nftables service:
```bash
sudo systemctl stop nftables # Stop the nftables service
sudo systemctl disable nftables # Disable nftables from starting on boot
Next, ensure that iptables is installed. If it is not installed, you can install it using:
sudo apt update # Update package lists
sudo apt install iptables # Install iptables if not already installed
Now, you need to flush any existing nftables rules to prevent conflicts. This can be done with:
sudo nft flush ruleset # Flush all nftables rules
After flushing, you can start the iptables service. If you have existing iptables rules saved, you can restore them. If you do not have saved rules, you can create a basic configuration. To restore saved rules, use:
sudo iptables-restore < /etc/iptables/rules.v4 # Restore iptables rules from a file
```text
If you need to create a basic iptables configuration, you can set default policies and allow essential traffic:
```bash
sudo iptables -P INPUT DROP # Drop all incoming traffic by default
sudo iptables -P FORWARD DROP # Drop all forwarded traffic by default
sudo iptables -P OUTPUT ACCEPT # Allow all outgoing traffic by default
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
## Allow SSH (port 22)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Finally, save your iptables rules to ensure they persist after a reboot:
sudo iptables-save | sudo tee /etc/iptables/rules.v4 # Save current rules
Always review your firewall rules to ensure they meet your security requirements before applying them.
Dynamic Interface Detection
When working with nftables, it’s important to avoid hardcoding interface names. Use dynamic detection:
## Get your network interface dynamically
INTERFACE=$(ip route | grep default | awk '{print $5}' | head -n1)
echo "Using interface: $INTERFACE"
## Use it in nftables rules
sudo nft add rule inet filter input iif "$INTERFACE" tcp dport 22 accept
Or use nftables variables:
define WAN_IFACE = $(ip route | grep default | awk '{print $5}' | head -n1)
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "$WAN_IFACE" tcp dport 22 accept
}
}
```text
## Performance Tuning
`nftables offers several performance advantages over iptables:`
1. **Use sets for multiple values**:
```nft
# More efficient than multiple rules
tcp dport { 22, 80, 443 } accept
Use maps for complex matching:
map port_to_action { type inet_proto . inet_service : verdict elements = { tcp . 22 : accept, tcp . 80 : accept, tcp . 443 : accept } }Use anonymous sets for IP addresses:
ip saddr { 192.168.1.0/24, 10.0.0.0/8 } accept
Security Checklist
- Backup existing iptables rules before migration
- Test nftables rules in staging environment first
- Keep console/KVM access available during transition
- Use modern
conntracksyntax in any remaining iptables rules - Implement dynamic interface detection
- Use nftables sets and maps for better performance
- Set up comprehensive logging and monitoring
- Document all custom rules and their purposes
- Regular security audits of firewall rules
- Keep backups of working nftables configurations
FAQ
Q: Should I use nftables or iptables on Debian 13? A: nftables is the modern replacement for iptables and is recommended for new deployments. It offers better performance and simpler syntax.
Q: Can I run both iptables and nftables simultaneously? A: It’s not recommended as they can conflict. Choose one framework and stick with it.
Q: How do I convert complex iptables rules to nftables?
A: Use iptables-translate for basic conversions, but complex rules may need manual translation to take advantage of nftables features.
Q: What if nftables doesn’t work as expected? A: Always keep a backup of working configurations and test thoroughly in staging before production deployment.
Q: How do I monitor nftables performance?
A: Use nft monitor to watch rule changes and nft list ruleset -a to see rule handles and statistics.
Related Guides
- Debian Firewall Rules for Kubernetes Nodes
- Using Fail2ban with Custom Filters
