Setup a simple web server firewall using nftables

Introduction

Nftables is a framework created by the Netfilter Project and it replaces iptables in Debian Buster. Starting with Debian Buster, it’s recommended that you migrate from using iptables to nftables. If you need help migrating from iptables to nftables you can find a great guide here which shows how to use some neat and easy to use tools to translate iptables rules to nftables.

The reason why nftables was created was because the old iptables framework had issues concerning performance, scalability, code, etc. I personally chose to start using nftables (besides it becoming default in Debian Buster) because I really liked the new syntax used in nftables and it kind of reminds me of PF.

Note: The nftables rules I provide in this tutorial are the same rules I use on many of my web servers. This is a simple nftables firewall rule list that will get you up and running quickly with nftables and help protect your web server.

Here’s what this tutorial’s simple nftables web server firewall will do:

  • Localhost traffic is allowed
  • Established connections are allowed
  • Invalid packets will be dropped
  • ALL inbound traffic will be blocked except for SSH, HTTP, and HTTPS
  • ICMP and ICMPV6 is allowed in
  • Anything inbound that is leftover is rejected with admin-prohibited
  • ALL outbound traffic is allowed out
  • Works for both IPv4 and IPv6 traffic!

So basically all inbound traffic (except for SSH, HTTP, and HTTPS) is blocked and all outbound traffic is allowed.

Prerequisites

Before you go any further, you’ll want to make sure that you have no active iptables rules or are using any software that manages iptables rules like UFW or firewalld. If you’re setting nftables up on a remote server, make sure there’s a way for you to use a console or have some form of ipmi available in case you accidentally lock yourself out.

Installing nftables

If you’re using Debian Stretch or Debian Buster you can easily install nftables with apt:

sudo apt install nftables

If you’re using Debian Stretch and have the backports repo in your /etc/apt/sources.list file then you should install the nftables backport instead with:

sudo apt -t stretch-backports install nftables

Configuring the nftables firewall rules

With nftables installed you’re now ready to add the firewall rules

Open up /etc/nftables.conf in your favorite editor and delete the starting rules contained in /etc/nftables.conf so you’re starting with a clean slate.

sudo nano /etc/nftables.conf

and now copy and paste the below nftables rules to /etc/nftables.conf

Warning: If you use a different SSH port then 22, make sure you change the 22 to your correct SSH port in the below nftables rules before starting up the nftables firewall.

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
chain input {
type filter hook input priority 0; policy drop;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# drop invalid packets
ct state invalid counter drop

# accept ssh, http, and https
tcp dport { 22, 80, 443 } accept

# accept icmp
ip protocol icmp accept

# accept all icmpv6
ip6 nexthdr icmpv6 accept

# count and reject everything else
counter reject with icmpx type admin-prohibited
}

chain forward {
type filter hook forward priority 0; policy drop;
}

chain output {
type filter hook output priority 0; policy accept;
}

}

Save /etc/nftables.conf and exit

Start nftables

When you’re ready to start your new nftables firewall, you can do so with:

sudo systemctl start nftables

and if everything goes well then make sure to set it to start on boot by running:

sudo systemctl enable nftables

You can view your current nftables rules using:

sudo nft list ruleset

Completion

Congratulations! You should now have nftables running and keeping your web server secure! If you have any suggestions for this sample nftables web server rule list or need with this tutorial, please feel free to leave a comment below or contact me.

Resources

Here are some helpful resources if you would like to learn more about nftables

Image Credit: The photo that was used to create the featured image for this nftables article was photographed by Colter Olmstead on Unsplash.

3 Replies to “Setup a simple web server firewall using nftables”

    1. Hi,

      I just retested this on Debian Buster and the backports v0.9.2 version and it works correctly on my end. There shouldn’t need to be any ; after the lines in input section for nftables.conf. Which distro/nftables version are you using? Thanks :).

Leave a Reply

Your email address will not be published. Required fields are marked *