iptables vs nftables

Hi all,

After getting accepted for Outreachy, I have been assigned the project ‘nftables’. According to the content that I have been able to read and understand, I’m going to give a fine description about nftables and what makes nftables better than iptables.

First of all, everything is mentioned here : nftables HOWTO. I’ll try to explain from scratch.

What is a firewall?

This.

firewall

Well, let’s not take it literally.

A firewall is a program that ensures network security by monitoring and curbing the network traffic with the help of some already set rules. You can think of firewall as a knight who protects your system from anything intrusive that it tracks. However, knight works only the way he has been taught.

There are many different types of firewalls depending on the the functionality to be achieved. You can read about them here: Types of firewalls.

Now, you know enough to read next part.

 

What is iptables?

A command line utility that allows to configure Linux kernel firewall.

How?

iptables is used to inspect, modify, forward, redirect, and/or drop IPv4 packets. The code for filtering IPv4 packets is already built into the kernel and is organized into a collection of tables, each with a specific purpose. The tables are made up of a set of predefined chains, and the chains contain rules which are traversed in order. Each rule consists of a predicate of potential matches and a corresponding action (called a target) which is executed if the predicate is true; i.e. the conditions are matched.

For example, if I only wish to receive packets from a certain trusted IP address, I can write the following rule:

iptables -A INPUT -s <ip_address_here> -j ACCEPT

Here, the rule goes as follows:

iptables: the command line utility
-A      : Add rule
INPUT   : Name of the chain to which rule is to be added
-s      : Source IP address
-j      : jump to the target action
ACCEPT  : Target action

Similarly, you can add up many different rules and make up your own firewall, see how flexible it is?

All you need to do is install iptables, look for the man page and a bit of google and make your own file holding the set of rules that you wish your system to follow.

What could be better than this? Right? This seems like the easiest, ultimate fun and secure thing. But, hey. You’re into Linux community now, you know there must be something even more simpler.

Well yes, there is. It is called nftables.

 

What is nftables?

nftables is the new packet classification framework that intends to replace the existing {ip,ip6,arp,eb}_tables infrastructure. In simple words, something even more simpler than iptables. Don’t believe it? Read further.

Suppose you want to allow packets for different ports and allow different icmpv6 types. With iptables, you need to use something like:

ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT

But, with nftables, you can do it in just two lines:

nft add rule ip6 filter input tcp dport {telnet, http, https} accept
nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

Disclaimer: The above example has been shamelessly copied from Why you will love nftables

 

Why nftables is better than iptables?

There are a lot of reasons to this. Some of them are listed below:

  • Syntax : The above example clarifies how simple nftables syntax is.
  • Tables and chains are fully configurable : iptables comes with tables with a predefined number of base chains, you get them in an all or nothing fashion. It is not the case with nftables.
  • You can specify several actions in one single rule : Example above.
  • Better support for dynamic ruleset updates : The ruleset is represented in a linked-list.
  • Generic set and map infrastructure
  • Support for concatenations
  • New supported protocols without kernel upgrades

 

iptables-translate

This is a binary utility that gives you the nft syntax for a particular set of rules.

For example,

$ sudo iptables-translate -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

returns to the console:

nft add rule ip filter INPUT iifname eth0 udp sport 53 counter accept

 

I’m working on this. Stay tuned for more updates.

Thanks for reading.

Advertisements

2 thoughts on “iptables vs nftables

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s