Back to Home

nftables guide: setting up firewall in Debian

Guide to practical use of nftables in Debian for server protection and network segmentation. Describes threat models, segregation schemes, rule examples and testbeds. Includes OneButtonFirewall for quick deployment.

nftables: from local FW to network segmentation
Advertisement 728x90

Hands-On nftables Guide: Securing Networks on Debian

nftables on Debian delivers robust traffic filtering for servers or workstations. The goal? Block unwanted inbound connections and control outbound traffic. The approach: model threats, define access controls, and craft filtering rules.

Kick things off with a Debian 11.4 netinstall VM template: minimal setup, no bloat, then add SSH, Midnight Commander, and conntrack via apt install mc ssh conntrack. Use a virtualization platform with network control like QEMU-KVM or VirtualBox.

Threat Modeling and Mitigation Strategies

Pinpoint your top threats:

Google AdInline article slot
  • T1: Service exploits — block inbound traffic by ports/IPs.
  • T2: DoS attacks — rate-limit packets, drop loopback sources (127.0.0.0/8 unless from lo).
  • T3: Brute-force attacks — track failed logins and ban IPs.
  • T4: Malicious outbound connections — filter by IPs, ports, protocols.
  • T5: Unauthorized ports — ban new inbound connections.

Access control schemes, from basic to hardened:

  • Minimal (workstations): Block all inbound except established; allow all outbound.
  • Standard (servers): Permit SSH (22), HTTP/HTTPS (80/443), ICMP; cap conntrack.
  • Hardened: Whitelists for IPs, rate-limits on ports, blacklists for DoS.

Setting Up Hardened Server Protection

Lab setup: Debian server on 192.168.1.0/24 network, eth0 interface.

Mission: Deploy nftables with hardened security.

Google AdInline article slot

Prep steps:

apt update && apt install nftables
systemctl enable nftables

Rules in /etc/nftables.conf:

nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0; policy drop; }
nft add chain inet filter output { type filter hook output priority 0; policy accept; }
nft add chain inet filter forward { type filter hook forward priority 0; policy drop; }

# Established/related
nft add rule inet filter input ct state established,related accept

# Loopback
nft add rule inet filter input iifname "lo" accept

# ICMP
nft add rule inet filter input ip protocol icmp icmp type { echo-request, echo-reply } accept

# SSH rate-limit
nft add rule inet filter input tcp dport 22 ct state new limit rate 5/minute accept
nft add rule inet filter input tcp dport 22 ct state new drop

# Drop loopback sources
nft add rule inet filter input ip saddr 127.0.0.0/8 iifname != "lo" drop

nft add rule inet filter input ct state invalid drop
nft add rule inet filter input accept

Apply with: nft -f /etc/nftables.conf. Verify: nft list ruleset, conntrack -L.

Google AdInline article slot

Testing Your Firewall

Lab: Client (192.168.1.10), server (192.168.1.20).

Mission: Probe ports, DoS resistance, outbound flows.

Steps:

  • nmap -p 22,80,443 192.168.1.20 — only SSH open.
  • hping3 --flood -S 192.168.1.20 -p 22 — rate-limit kicks in.
  • tcpdump -i eth0 to watch drops.

Network Segmentation with Routing

Enable IP forwarding: sysctl net.ipv4.ip_forward=1.

Lab: Router (eth0: LAN1 192.168.10.0/24, eth1: LAN2 192.168.20.0/24).

Mission: Isolate user and server zones.

Rules:

nft add table inet filter
nft add chain inet filter forward { type filter hook forward priority 0; policy drop; }

# User to server: only key ports
nft add rule inet filter forward iifname "eth0" oifname "eth1" tcp dport {22,80,443} ct state new accept
nft add rule inet filter forward iifname "eth0" oifname "eth1" ct state established,related accept

# Back
nft add rule inet filter forward iifname "eth1" oifname "eth0" ct state established,related accept

# Server to internet
nft add rule inet filter forward iifname "eth1" oifname "eth2" accept

Layer 2 Segmentation (Switch Firewall)

No IP subnets needed: Use VLANs or MAC-based filtering.

Bridge rules:

nft add table bridge filter
nft add chain bridge filter forward { type filter hook forward priority 0; }

# Block between MAC groups
nft add rule bridge filter forward ether saddr 00:11:22:33:44:00 ether daddr 00:55:66:77:88:99 drop

OneButtonFirewall: Quick Segment Protection

Project for fast rollout: Script generates rules from templates.

Lab: OBF device between segments.

How it works: Script parses config (JSON/YAML), applies nftables.

Pros: Zero config, auto-updates. Cons: Less flexible.

Use cases: Home offices, small businesses without security pros.

Key Takeaways:

  • Always model threats first.
  • Default to drop policy with explicit accepts.
  • Test rate-limits and conntrack.
  • Balance security with usability.
  • Monitor nftables logs (nft log rule).

— Editorial Team

Advertisement 728x90

Read Next