Hands-On nftables Guide: Securing Networks on Debian
nftables on Debian delivers robust traffic filtering for servers or workstations. The goal? Block unwanted inbound connections and control outbound traffic. The approach: model threats, define access controls, and craft filtering rules.
Kick things off with a Debian 11.4 netinstall VM template: minimal setup, no bloat, then add SSH, Midnight Commander, and conntrack via apt install mc ssh conntrack. Use a virtualization platform with network control like QEMU-KVM or VirtualBox.
Threat Modeling and Mitigation Strategies
Pinpoint your top threats:
- T1: Service exploits — block inbound traffic by ports/IPs.
- T2: DoS attacks — rate-limit packets, drop loopback sources (127.0.0.0/8 unless from lo).
- T3: Brute-force attacks — track failed logins and ban IPs.
- T4: Malicious outbound connections — filter by IPs, ports, protocols.
- T5: Unauthorized ports — ban new inbound connections.
Access control schemes, from basic to hardened:
- Minimal (workstations): Block all inbound except established; allow all outbound.
- Standard (servers): Permit SSH (22), HTTP/HTTPS (80/443), ICMP; cap conntrack.
- Hardened: Whitelists for IPs, rate-limits on ports, blacklists for DoS.
Setting Up Hardened Server Protection
Lab setup: Debian server on 192.168.1.0/24 network, eth0 interface.
Mission: Deploy nftables with hardened security.
Prep steps:
apt update && apt install nftables
systemctl enable nftables
Rules in /etc/nftables.conf:
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0; policy drop; }
nft add chain inet filter output { type filter hook output priority 0; policy accept; }
nft add chain inet filter forward { type filter hook forward priority 0; policy drop; }
# Established/related
nft add rule inet filter input ct state established,related accept
# Loopback
nft add rule inet filter input iifname "lo" accept
# ICMP
nft add rule inet filter input ip protocol icmp icmp type { echo-request, echo-reply } accept
# SSH rate-limit
nft add rule inet filter input tcp dport 22 ct state new limit rate 5/minute accept
nft add rule inet filter input tcp dport 22 ct state new drop
# Drop loopback sources
nft add rule inet filter input ip saddr 127.0.0.0/8 iifname != "lo" drop
nft add rule inet filter input ct state invalid drop
nft add rule inet filter input accept
Apply with: nft -f /etc/nftables.conf. Verify: nft list ruleset, conntrack -L.
Testing Your Firewall
Lab: Client (192.168.1.10), server (192.168.1.20).
Mission: Probe ports, DoS resistance, outbound flows.
Steps:
nmap -p 22,80,443 192.168.1.20— only SSH open.hping3 --flood -S 192.168.1.20 -p 22— rate-limit kicks in.tcpdump -i eth0to watch drops.
Network Segmentation with Routing
Enable IP forwarding: sysctl net.ipv4.ip_forward=1.
Lab: Router (eth0: LAN1 192.168.10.0/24, eth1: LAN2 192.168.20.0/24).
Mission: Isolate user and server zones.
Rules:
nft add table inet filter
nft add chain inet filter forward { type filter hook forward priority 0; policy drop; }
# User to server: only key ports
nft add rule inet filter forward iifname "eth0" oifname "eth1" tcp dport {22,80,443} ct state new accept
nft add rule inet filter forward iifname "eth0" oifname "eth1" ct state established,related accept
# Back
nft add rule inet filter forward iifname "eth1" oifname "eth0" ct state established,related accept
# Server to internet
nft add rule inet filter forward iifname "eth1" oifname "eth2" accept
Layer 2 Segmentation (Switch Firewall)
No IP subnets needed: Use VLANs or MAC-based filtering.
Bridge rules:
nft add table bridge filter
nft add chain bridge filter forward { type filter hook forward priority 0; }
# Block between MAC groups
nft add rule bridge filter forward ether saddr 00:11:22:33:44:00 ether daddr 00:55:66:77:88:99 drop
OneButtonFirewall: Quick Segment Protection
Project for fast rollout: Script generates rules from templates.
Lab: OBF device between segments.
How it works: Script parses config (JSON/YAML), applies nftables.
Pros: Zero config, auto-updates. Cons: Less flexible.
Use cases: Home offices, small businesses without security pros.
Key Takeaways:
- Always model threats first.
- Default to drop policy with explicit accepts.
- Test rate-limits and conntrack.
- Balance security with usability.
- Monitor nftables logs (
nft log rule).
— Editorial Team
No comments yet.