Ubuntu nftables firewall setup
Essential Firewall Configuration with nftables
Securing your server is paramount, and nftables provides a modern, flexible, and powerful packet filtering framework for Linux. This guide walks you through setting up a foundational nftables firewall configuration, opening common ports for services like email, VPN, web, and a specific database connection, while maintaining a secure posture.
1. Accessing the nftables Configuration
The primary configuration file for nftables is typically located at /etc/nftables.conf. You can edit it using your preferred text editor.
sudo vim /etc/nftables.conf
2. Example Firewall Ruleset
Below is an example nftables ruleset that establishes a secure baseline, allowing essential services while dropping unsolicited incoming connections. This configuration applies to both IPv4 and IPv6 (inet family).
#!/usr/sbin/nft -f
# Flush existing rules to start fresh
flush ruleset
# Define the 'filter' table for both IPv4 and IPv6 (inet)
table inet filter {
# Input chain: Controls traffic destined for the local machine
chain input {
type filter hook input priority 0;
# Accept all traffic from the loopback interface (localhost)
iif lo accept
# Protect against ICMP (ping) floods by rate-limiting requests
ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
# Accept traffic that is part of an already established connection or related to one
ct state established,related accept
# Allow essential ICMP & IGMP traffic for network diagnostics and discovery
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { echo-request, destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
ip protocol igmp accept
# --- Service-specific port openings ---
# SSH (Secure Shell)
tcp dport 22 accept
# FTP (File Transfer Protocol) - Control connection
tcp dport 21 accept
# FTP Passive Mode (adjust port range as per your FTP server configuration)
tcp dport 10090-10100 accept
# HTTP (Web)
tcp dport 80 accept
# HTTPS (Secure Web)
tcp dport 443 accept
# SMTP (Email Sending)
tcp dport 25 accept
# Submission (Email Client Sending)
tcp dport 587 accept
# SMTPS (Secure SMTP)
tcp dport 465 accept
# POP3 (Email Retrieval)
tcp dport 110 accept
# POP3S (Secure POP3)
tcp dport 995 accept
# IMAP (Email Retrieval)
tcp dport 143 accept
# IMAPS (Secure IMAP)
tcp dport 993 accept
# OpenVPN (VPN Service)
udp dport 1194 accept
# MySQL (Database) - Only from specific trusted IP addresses
# Replace placeholders with your actual allowed IP addresses
ip saddr { trusted_ip_address_1, trusted_ip_address_2 } tcp dport 3306 accept
# Count and drop all other unsolicited incoming traffic
counter drop
}
# Output chain: Controls traffic originating from the local machine
chain output {
type filter hook output priority 0;
policy accept; # By default, allow all outgoing traffic
}
# Forward chain: Controls traffic passing through the local machine (e.g., for routing)
chain forward {
type filter hook forward priority 0;
policy accept; # By default, allow all forwarded traffic (adjust if server acts as a router)
}
}
3. Loading and Verifying Rules
After saving your nftables.conf file, load the ruleset using the nft utility.
sudo nft -f /etc/nftables.conf
To confirm that your rules have been loaded correctly and are active, list the currently applied ruleset.
sudo nft list ruleset
This comprehensive output will show all active tables, chains, and rules, allowing you to verify your firewall's state.
This basic nftables configuration provides a strong foundation for securing your server. Remember to adapt the port openings and IP addresses to your specific needs and security policies.