@ugnvs thanks for the reply.
Just a little while ago, I removed ufw and gufw. Flushed iptables chains and rules. It now looks like this:
$ sudo iptables --line-numbers -L
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
$
Then enabled and started nftables.service. Also, I believe nftables is from the same team, Netfilter project who brought the iptables.
I do have some experience with nftables but on Debian 10 servers where, there were no ipatbles to begin with. So configuring nftables was not a problem to me (once proper iptables removal).
My main concern was that iptables chains and rules are removed properly, so they would not interfere with nfatbles.
Is there any way to know what set of rules are controlling network packet filtering etc... iptables or nftables?
I think my nftables.service is running OK:
$ sudo systemctl status nftables
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enab
Active: active (exited) since Wed 2019-10-02 20:53:21 IST; 1h 11min ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 503 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/S
Main PID: 503 (code=exited, status=0/SUCCESS)
Oct 02 20:53:21 um systemd[1]: Started nftables.
Warning: Journal has been rotated since unit was started. Log output is incomplete or
$
$ sudo nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname "lo" accept
ip saddr 192.168.0.0/16 tcp dport ssh counter packets 0 bytes 0 accept
ct state established,related accept
tcp dport ssh ct state new limit rate 10/minute accept
ct state invalid drop
ip saddr 192.168.0.0/16 tcp dport ftp-data counter packets 0 bytes 0 accept
ip saddr 192.168.0.0/16 tcp dport ftp counter packets 0 bytes 0 accept
ip saddr 192.168.0.0/16 tcp dport ftps counter packets 0 bytes 0 accept
ip saddr 192.168.0.0/16 tcp dport 40000-50000 counter packets 0 bytes 0 accept
ip saddr 192.168.0.0/16 icmp type echo-request counter packets 1 bytes 84 accept
icmp type echo-request counter packets 0 bytes 0 drop
ip protocol igmp drop
reject
log flags all counter packets 0 bytes 0 drop
log prefix "[nftables] Input Denied: " flags all counter packets 0 bytes 0 drop
}
}
$
Here's my simple nftables.conf:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept
# ssh for internal network
ip saddr 192.168.0.0/16 tcp dport 22 counter accept
ct state established,related accept
# Avoid brute force on ssh
tcp dport 22 ct state new limit rate 10/minute accept
# Early drop of invalid connections
ct state invalid drop
# VsFTPD
ip saddr 192.168.0.0/16 tcp dport 20 counter accept
ip saddr 192.168.0.0/16 tcp dport 21 counter accept
ip saddr 192.168.0.0/16 tcp dport 990 counter accept
ip saddr 192.168.0.0/16 tcp dport 40000-50000 counter accept
# ICMP & IGMP
ip saddr 192.168.0.0/16 icmp type echo-request counter accept
icmp type echo-request counter drop
ip protocol igmp drop
# Everything else
reject with icmpx type port-unreachable
log flags all counter drop
log prefix "[nftables] Input Denied: " flags all counter drop
}
}