Skip to content

firewall-nftables.md

Latest commit

 

History

History
174 lines (116 loc) · 3.72 KB

firewall-nftables.md

File metadata and controls

174 lines (116 loc) · 3.72 KB

nftables Firewall

This document defines the default firewall baseline for the hardened Arch Linux server.

Why nftables?

nftables is the modern Linux packet filtering framework. It provides a powerful, low-level firewall system for IPv4 and IPv6.

This guide uses nftables directly instead of UFW because the goal is control, clarity, and explicit rules.

Warning

Do not run UFW and custom nftables rules at the same time unless you know exactly how both are interacting. They can conflict because both manage firewall rules.

Security Design

The firewall is designed around these rules:

  1. Drop inbound traffic by default
  2. Accept established and related traffic
  3. Accept loopback traffic
  4. Accept ICMP and ICMPv6 for diagnostics
  5. Accept SSH
  6. Optionally accept HTTP/HTTPS
  7. Log blocked packets
  8. Reject everything else
  9. Drop forwarding by default
  10. Allow outbound traffic

Firewall Flow

Firewall flow

Backup Existing Configuration

Before editing:

sudo cp /etc/nftables.conf /etc/nftables.conf.bak

Configuration

Use the provided config:

sudo cp configs/nftables.conf /etc/nftables.conf

Or manually edit:

sudo vim /etc/nftables.conf

Recommended ruleset:

#!/usr/bin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority filter;
        policy drop;

        ct state invalid drop comment "drop invalid packets"
        ct state { established, related } accept comment "allow established connections"

        iif lo accept comment "allow loopback"

        ip protocol icmp accept comment "allow IPv4 ICMP"
        ip6 nexthdr icmpv6 accept comment "allow IPv6 ICMP"

        tcp dport 22 ct state new accept comment "allow SSH"

        # Optional web server ports
        # tcp dport { 80, 443 } ct state new accept comment "allow HTTP/HTTPS"

        log prefix "nftables-drop: " flags all counter comment "log blocked inbound traffic"

        reject with icmpx type admin-prohibited
    }

    chain forward {
        type filter hook forward priority filter;
        policy drop;
    }

    chain output {
        type filter hook output priority filter;
        policy accept;
    }
}

Apply Safely

Test the file:

sudo nft -f /etc/nftables.conf

List active rules:

sudo nft list ruleset

Enable permanently:

sudo systemctl enable nftables
sudo systemctl restart nftables

Monitoring

Follow logs:

sudo journalctl -f | grep nftables-drop

Show ruleset:

sudo nft list ruleset

Rule Explanation

Rule Purpose
ct state invalid drop Drops malformed or invalid packets
ct state { established, related } accept Allows replies for existing connections
iif lo accept Allows local loopback traffic
ip protocol icmp accept Allows IPv4 diagnostics
ip6 nexthdr icmpv6 accept Allows IPv6 diagnostics
tcp dport 22 accept Allows SSH
log prefix "nftables-drop" Logs packets not explicitly allowed
reject with icmpx type admin-prohibited Rejects remaining inbound traffic
forward policy drop Prevents routing/forwarding by default
output policy accept Allows outbound traffic for updates and services

Notes on SSH Rate Limiting

The original working notes included an SSH rate-limit rule. Rate limiting can be useful, but placing it incorrectly may not behave as expected if an earlier SSH accept rule already matches.

For this repository, brute-force control is handled primarily by:

  • key-only SSH
  • disabled root login
  • Fail2Ban
  • low MaxAuthTries

A stricter rate-limit rule can be added later as an advanced option.