Advanced Firewall: Configuring iptables and nftables

1. Fundamentals of Netfilter

• Netfilter Framework: Kernel-level packet processing hooks.
• Tables: Categorize rules (filter, nat, mangle, raw, security).
• Chains: Predefined paths (INPUT, FORWARD, OUTPUT) or user-defined.
• Targets/Actions: ACCEPT, DROP, REJECT, LOG, DNAT, SNAT, MASQUERADE, etc.

2. iptables: Advanced Concepts and Examples

2.1 Table and Chain Architectures

The most common tables in iptables:

2.2 Connection Tracking and State Matching

Leverage -m conntrack --ctstate:

# Allow established/related traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  

2.3 IP Sets for Dynamic Rules

Using ipset improves performance when handling large blacklists or whitelists:

# Create a set of banned IPs
ipset create blacklist hash:ip
# Add addresses
ipset add blacklist 203.0.113.45
# Block ruleset references
iptables -A INPUT -m set --match-set blacklist src -j DROP
  

2.4 NAT and Port Forwarding

# Redirect external port 8080 to 192.168.1.100:80
iptables -t nat -A PREROUTING -p tcp --dport 8080 
  -j DNAT --to-destination 192.168.1.100:80
# Masquerade outgoing traffic on eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  

3. nftables: The Modern Replacement

3.1 Key Advantages

• Unified Syntax: Single framework for filtering, NAT, raw.
• Performance: Reduced rule-chaining overhead.
• Atomic Updates: Safe live rule replacement.
• Concise: Less repetition, use of sets, maps, concatenations.

3.2 Basic nftables Configuration

#!/usr/sbin/nft -f

table inet filter {
  set blacklist { type ipv4_addr flags interval }
  chain input {
    type filter hook input priority 0 policy drop
    ct state established,related accept
    ip saddr @blacklist drop
    tcp dport { 22, 80, 443 } accept
    counter drop
  }
  chain forward { policy drop }
  chain output { policy accept }
}
  

3.3 NAT with nftables

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0
    tcp dport 8080 dnat to 192.168.1.100:80
  }
  chain postrouting {
    type nat hook postrouting priority 100
    oifname eth0 masquerade
  }
}
  

3.4 Advanced Sets and Maps

Define port ranges, address sets, and key-value maps:

set web_ports { type inet_service elements = { 80, 443 } }
map redirect_map { type inet_service : ipv4_addr 
  elements = { 8080 : 192.168.1.100 } }

chain input {
  tcp dport @web_ports accept
  tcp dport map @redirect_map dnat to ip dport 80
}
  

4. Migration: iptables → nftables

To ease migration:

1. Install iptables-nft or iptables-legacy to toggle backends.
2. Use iptables-translate for conversion:

iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPT
# Outputs nft rules
  

5. Best Practices and Hardening

• Default policy: DROP for unknown traffic.
• Log suspicious traffic with rate-limit:

iptables -A INPUT -m limit --limit 5/min -j LOG 
  --log-prefix FW-DROP:  --log-level 4
  

• Isolate management ports (SSH on non-standard port, port knocking).
• Use fail2ban or similar tools.
• Keep rule sets modular and version-controlled.

6. VPN Considerations

When integrating VPN services, ensure the firewall allows or restricts traffic appropriately:

• For OpenVPN, open UDP/TCP ports (default 1194).
• For WireGuard, allow UDP on port 51820.
• For IPsec, ensure UDP 500/4500 and ESP (protocol 50) are open.

7. Monitoring and Logging

Combine firewalld or direct logs with rsyslog and logwatch for audit trails. Tools like ntop and Wireshark help deep inspection.

Conclusion

Mastering iptables and nftables demands understanding both syntaxes, performance trade-offs, and best practices. While nftables is the future, iptables remains prevalent. A well-designed firewall, combined with secure VPN integration (OpenVPN, WireGuard), dynamic sets, and logging, fortifies any Linux-based network against modern threats.