# Using nftables (instead of iptables)

## Zucca

NOTE: the topic title was Looking for a "non-bloated" firewall software, but as the focus is more torwards nftables I decided to change the title.

I'm looking for some kind of nice iptables frontend to easily set up fw-rules. "looking for" as in - seeing if there's any that fit or do I just resort back to using "raw" iptables.

The software should not have any graphical UIs as a requirement, as an alternative remote UI it's fine. I'd avoid any webUIs. I have bad feeling about webUIs. I prefer ssh'ing in and do-what-I-wanna-do-and-big-bada-boom-getouttathere. ncurses would fit in perfectly. And Vuurmuur seems like a good candidate, but I cannot find it from Gentoo portage (haven't searched any overlays yet). So does anybody have experience using it?

Does anyone have any other suggestions?

I'm looking this for my home "all-in-one" server. I'd prefer packages from amd64, meaning as much as possible stable packages.

I might later set up another hardware as a firewall between internet and my lan. But at this point it's only that one PC.

Thanks in advance.

----------

## dr_wulsen

Hi Zucca,

I don't run it myself, but a friend of mine who is admin at a mid-sized company (approx. 400 people) recently suggested firehol to me, as it would make firewalling with iptables more simple.

personally, i'm running iptables on my router with openwrt and the luci interface (can recommend it if you later put some other piece of hardware for firewalling), so I didn't try firehol.

But at least there's an ebuild in the official gentoo tree, net-firewall/firehol

Dunno, if it's what you're seeking. It got no GUI, it does not even have ncurses, but should -according to my admin friend- be easy to get started with, which most likely means it's less complex than raw iptables but will have its own syntax....

----------

## NeddySeagoon

Zucca,

Shorewall is a lot less to learn than raw IPtables.  There is still a lot of it.

There is also shorewall6 for IPv6

----------

## Zucca

Thanks, dr_wulsen!

Firehol really has the concept of "deny all by default" tought well. It sure loks simplier than raw iptables, but rather learning a new (although) simple language, I'd propably learn nftables. I'll look more closely into firehol if I don't find any with some textUI.

EDIT: Thanks to you Neddy, too!

I've heard shorewall before... At some point I thought of using it, but I don't remember why abandoned it. I'll look into that as well.

----------

## brendlefly62

I have found shorewall in combination with ipset to be relatively easy and efficient.

I found this helpful: https://forums.gentoo.org/viewtopic-t-863121.html

cheers

----------

## Goverp

also  net-firewall/ufw

----------

## NTU

An ipfire-like interface would be awesome, nice little web portal to login and view usage graphs and such. I dug into the source for ipfire trying to figure out how to go about building it for a different distro, the structure for everything is a complete mess and I just gave up. Probably would be easier to just pipe traffic and fw logs and such into an SQL database and view it that way than trying to tear apart ipfire, haven't spent too much time on the whole thing.

----------

## C5ace

I use a stripped down Bastille Firewall as part of Ispconfig on a Debian server. It's just 3 *.sh files and a configuration file. Very easy to open and close ports by adding and deleting the port numbers in the config file.

-rw-rw-r-- 1 root root  3265 Aug 15  2014 bastille-firewall

-rw-rw-r-- 1 root root 21995 Aug 15  2014 bastille-ipchains

-rw-rw-r-- 1 root root 22578 Aug 15  2014 bastille-netfilter

-rw-rw-r-- 1 root root 17987 Aug 15  2014 bastille_licence.txt

-rw-r--r-- 1 root root 14349 Nov 21 14:15 bastille-firewall.cfg

See app-admin/bastille in portage for the full version.

----------

## Zucca

I've now been playing with vuurmuur.

It has even some monitoring features. The wiki isn't very complete. And I have serious troubles to search trac. I've never actually liked trac webUI. The searches include results from trac manual, which is more than annoying.

Anyways. The rules are simple to adjust and the order of rules can be adjusted with + or - easily.

If I don't get vuurmuur to work the way I like, I might go with raw iptables or nftables even.

----------

## Ant P.

I'm already using raw nftables. It's much easier to understand than iptables, probably easier than the config files for some of these wrapper programs even.

----------

## Zucca

 *Ant P. wrote:*   

> I'm already using raw nftables. It's much easier to understand than iptables, probably easier than the config files for some of these wrapper programs even.

 That's good to know. I'll get myself more acquainted with nftables. I think I had compiled all nftables stuff in kernel already.

----------

## Zucca

I have had a struggle with vuurmuur and I'm unable to create NAT/MASQ using it. :\ Sad, since I would really have liked a good firewall software with ncurses ui.

My next step is to learn nftables. So far it seems logical. At least to compared to iptables. And it even has its own simple scripting language.

I think I want to compile all nftables stuff into kernel and maybe remove all/some iptables stuff from it. Some features of iptables collide with nftables.

----------

## depontius

 *Ant P. wrote:*   

> I'm already using raw nftables. It's much easier to understand than iptables, probably easier than the config files for some of these wrapper programs even.

 

I'm looking to learn nftables.  Are you aware of a basic firewall example?  That was really the most effective way for me to learn iptables.  I found a basic firewall that allowed outgoing connections, allowed incoming packets that were part of the outgoing connections, and allowed in filtered ssh connections.  Starting from those few basics you can add what you need.  I'd like the same for nftables, if anyone is aware of it.

----------

## Zucca

Gentoo Wiki has some examples. I'm also browsing trough the offical(?) wiki. Particulary the scripting article.

I noticed that if you want to make portable nftables scripts then you'd need to change the shebang to:

```
#!/usr/bin/env nft
```

----------

## Zucca

 *Zucca wrote:*   

> I noticed that if you want to make portable nftables scripts then you'd need to change the shebang to:
> 
> ```
> #!/usr/bin/env nft
> ```
> ...

 ... And I just realised that nft needs a -f -switch to read scripts. And when using env the shell tries to run a program named exactly 'nft -f'.

So I guess it's best to use #!/sbin/nft as a shebang or create a symlink to /usr/bin and use #!/usr/bin/nft.

----------

## khayyam

 *Zucca wrote:*   

> ... And I just realised that nft needs a -f -switch to read scripts. And when using env the shell tries to run a program named exactly 'nft -f'. So I guess it's best to use #!/sbin/nft as a shebang or create a symlink to /usr/bin and use #!/usr/bin/nft.

 

Zucca ... see: shebang portability and the "the interpretation of the command arguments".

I don't see why you need to make such a script portable, nftables are linux only (so that rules out some percentage of possible hosts) and /sbin will most likely be where you find it, should it be under /usr/local then the user need only edit the script. So, unless you're planning mass deployment I wouldn't worry about hardcoding the path.

best ... khay

----------

## Ant P.

 *depontius wrote:*   

>  *Ant P. wrote:*   I'm already using raw nftables. It's much easier to understand than iptables, probably easier than the config files for some of these wrapper programs even. 
> 
> I'm looking to learn nftables.  Are you aware of a basic firewall example?  That was really the most effective way for me to learn iptables.  I found a basic firewall that allowed outgoing connections, allowed incoming packets that were part of the outgoing connections, and allowed in filtered ssh connections.  Starting from those few basics you can add what you need.  I'd like the same for nftables, if anyone is aware of it.

 

I posted my config a while back in this thread. It's mostly hacked together with trial and error since the upstream wiki is a bit obtuse, but it works. Hopefully it's of some use to others.

----------

