I mentioned in my last post that there is a newer, better way of creating your own firewall than iptables which is named nftables.
For a person new to nftables, it would be really tough to write the exact syntax for adding a particular rule. Now, let us assume that we are completely naive and wish to create a firewall using nftables. How do we do this?
First, we look at the available sources.
We know that before nftables, there existed a framework called iptables so there must be some sort of connection/similarity between the two. Also, we have the wiki page of nftables from where we can guess some of the syntax for sure. So, our domain of available sources is as follows:
- iptables ruleset all over the internet for almost everything
- wiki page of nftables
- open information about the different protocols involved
- iptables manual page
- nft utility
If we try to connect the dots, we find out that if we had one more thing into our domain, that is, something to convert the given iptables ruleset to nftables ruleset, we’ll be done. Again, time for surprises by the Linux community. There is a tool for carrying exactly the aforementioned thing. The tool is called iptables-translate. It has been created by the amazing netfilter developers. I gave a short description about it in my previous post, this post asserts what was the need of developing this tool.
Good news is that I have been adding up translation code to iptables in order to get this iptables-translate utility working for every rule. I have been successful with some translations and struggling with some other ones. You can keep track of the available translations on this page : Available translations via iptables-translate tool.
How to use this tool?
- Create the tables and chains that you need for your rule in nft. (Refer here: Configuring tables Configuring chains)
- Type in terminal:
$ sudo iptables-translate
And then add any ruleset of iptables.
Whatever the tool returns back in console is the appropriate converted syntax for nftables. Easy, right?
If you are still confused about using the tool, you can have a look at my patches here as I have given examples to use the tool with every patch covering almost all the test cases for different targets and matches on suggestion of my mentor Pablo Neira Ayuso. He’s the one guiding me to write good workable code.
Please use the tool and let me know your experience. Also, report bugs if you come across any.
Thanks for reading.