[Solved] How to load nftables rules at boot?

d0nzag · 2019-06-11 20:35:18

/etc/modules has all nf_tables* modules loaded
/etc/nftables.conf has no effect

what else could be done / checked ?

Last edited by d0nzag (2019-06-16 03:00:34)

ralph.ronnquist · 2019-06-11 21:22:57

initrd ?

d0nzag · 2019-06-12 09:57:52

This is too much. Aborting...

Head_on_a_Stick · 2019-06-12 10:31:10

Try

# cp /usr/share/doc/nftables/examples/sysvinit/nftables.init /etc/init.d
# update-rc.d nftables defaults

Then reboot.

d0nzag · 2019-06-16 02:59:32

The answer is - same way as with https://wiki.debian.org/iptables

Create executable file /etc/network/if-pre-up.d/nftables with the content

 #!/bin/sh
 /sbin/nft -f  /<path_to>/my.nftables.rules

and that's it

Marjorie · 2020-04-21 22:07:05

I'm setting up a mailserver and I'm trying to use nftables on Beowulf rather than iptables and ufw.as I used to on ASCII.

Head_on_a_Stick wrote:

Try

# cp /usr/share/doc/nftables/examples/sysvinit/nftables.init /etc/init.d
# update-rc.d nftables defaults

Then reboot.

Assuming I want to start nftables as a service (in the same way that systemd imitates). I would have to change this slightly:

$ sudo cp /usr/share/doc/nftables/examples/sysvinit/nftables.init /etc/init.d/nftables
$ sudo chmod +x  /etc/init.d/nftables
$ sudo update-rc.d nftables defaults

When I run

$ sudo service nftables start

and then

$ sudo service nftables status

there's no output from either and the process is not running.

I looks to me that the problem is that nftables, as supplied, isn't configured to start in any level:

/etc/init.d/nftables starts:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          nftables
# Required-Start:    $local_fs $network $remote_fs $syslog
# Required-Stop:     $local_fs $remote_fs $syslog
# Default-Start:
# Default-Stop:      0 1 2 3 4 5 6
# Short-Description: nftables firewall service
# Description:       nftables firewall system service
### END INIT INFO

# Author: Arturo Borrero Gonzalez <arturo@debian.org>
....

So no start run levels are defined. Should this be amended before running update-rc.d, and should they be the 'standard'?

# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6

It would be nice if the package could be devuanated for Beowulf as it's systemd specific as supplied in Debian.
I note there was some discussion about how to enable running on sysvinit back in 2015 when Arturo decided to only supply nftables.init as an example - but then not document what needed to be done to enable it.

Head_on_a_Stick · 2020-04-22 12:26:30

Marjorie wrote:

no start run levels are defined

Good spot, I missed that.

I've just run the sysd2v-0.2.sh script on the systemd nftables.service and it says

# Default-Start:  S
# Default-Stop:   0 6

So try that.

EDIT: perhaps open a bug report for this on the Debian package, the maintainer might correct it.

Last edited by Head_on_a_Stick (2020-04-22 12:27:20)

Marjorie · 2020-04-22 14:34:44

Thanks, Head-on-a-stick, that works.

Note for anyone else searching on this topic, having edited the default run level values in /etc/init.d/nftables you have to remove any existing rc.d symlinks before you reset them, so:

$ sudo update-rc.d nftables remove
$ sudo update-rc.d nftables defaults

If you don't do that it wont just overwrite the existing symlinks (you do get a warning).

Also

$ sudo service nftables start
$ sudo service nftables status

don't provide any output. However I did check that the firewall was working as intended using nmap from a different pc on the network:

$ sudo nmap --top-ports 500 mail
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-22 15:17 BST
Nmap scan report for mail (192.168.1.xx)
Host is up (0.0054s latency).
Not shown: 493 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
143/tcp open  imap
443/tcp open  https
587/tcp open  submission
993/tcp open  imaps
MAC Address: 2D:70:6B:23:64:91

which are just the ports I had configured to be open.

Last edited by Marjorie (2020-04-22 14:37:07)

jdev · 2020-11-11 11:14:45

Marjorie wrote:

Also
$ sudo service nftables start
$ sudo service nftables status 
don't provide any output.

Add INIT_VERBOSE=yes to the definitions of environment variables in /etc/init.d/nftables.

Magnus · 2020-11-12 13:36:50

Or add a line in /etc/rc.local /usr/sbin/nft -f /etc/firewall.tables

Head_on_a_Stick · 2020-11-12 18:03:15

Magnus wrote:

Or add a line in /etc/rc.local

Anything in /etc/rc.local is run late in the boot process so that would leave the network exposed, albeit very briefly. A proper init script is the best approach.

ifdv44 · 2021-03-26 18:02:45

Can i just check something and im still leanring about nf tables so could be way off.

If nf_tables is a kernel level module and likely to be loaded at boot time and active(assuming not explicitly deactivated the modules) , then is there any need to have a init.d script to start it ? Wont it start up and load rules then ? What am i missing ? Or is this just a belt and braces step to make sure any rules really are included at boot time ?

Head_on_a_Stick · 2021-03-26 18:15:29

There are several kernel modules that provide the firewall functionality but the init script (or systemd unit file) is needed to load the user space process that actually runs the firewall.

GlennW · 2021-03-26 22:40:56

Hi, my fw script is loaded by open-rc

It looks like this...

/home/glenn/build/firewall/fwautorun

#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO

case "$1" in
  start)

    sh /home/glenn/bin/nftfw.sh

    echo "Nftables Firewall is now ON"
    ;;
  stop)
    nft flush table filter
    nft flush table ip6 filter
    echo "NFTABLES Firewall is OFF"
    ;;
  *)
        echo "Usage: /etc/init.d/fwautorun {start|stop}"
        exit 1
        ;;
esac

exit 0

I used gentoo, arch and debian guides when I set this up...
https://wiki.gentoo.org/wiki/Nftables/E … nd_IPv6.29
https://wiki.archlinux.org/index.php/Nf … l_firewall
https://linux-audit.com/nftables-beginn … filtering/
https://wiki.debian.org/nftables#Should … les_one.3F

I found this somewhere, ... repeat, my init script is called fwautorun.sh, yours may be different.

cp <path to init file>...fwautorun /etc/init.d
# update-rc.d nftables defaults
rc-update add nftables defaults
reboot.

you may have this part sorted, but because it's mentioned in the start up script, I'll copy it here...

/home/glenn/bin/nftfw.sh

#!/bin/bash

# /home/glenn/build/firewalls/nftfw.sh

# load templates
#nft -f /usr/share/doc/nftables/examples/syntax/ipv4-filter       #loads the ipv4 template table (OS depandant address)
#nft -f /usr/share/doc/nftables/examples/syntax/ipv6-filter       #loads the ipv6 template table (OS depandant address)

# instead of using templates, we create our own.

nft add table filter
nft add table ip6 filter

nft add chain filter input { type filter hook input priority 0 \; }
nft add chain filter forward { type filter hook forward priority 0 \; }
nft add chain filter output { type filter hook output priority 0 \; }

nft add chain ip6 filter input { type filter hook input priority 0 \; }
nft add chain ip6 filter forward { type filter hook forward priority 0 \; }
nft add chain ip6 filter output { type filter hook output priority 0 \; }

# clean out any leftovers...

nft flush table filter
nft flush table ip6 filter

nft add rule filter input ct state established accept
nft add rule filter input ct state related accept
nft add rule filter input iif lo accept
nft add rule filter input tcp dport ssh counter log accept
nft add rule filter input counter log drop

nft add rule filter output ct state established accept
nft add rule filter output ct state related accept
nft add rule filter output oif lo accept
nft add rule filter output ct state new counter accept

nft add rule ip6 filter input ct state established accept
nft add rule ip6 filter input ct state related accept
nft add rule ip6 filter input iif lo accept
nft add rule ip6 filter input tcp dport ssh counter log accept

nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
nft add rule ip6 filter input icmpv6 type echo-request accept
nft add rule ip6 filter input icmpv6 type nd-router-advert accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

nft add rule ip6 filter input counter log drop

nft add rule ip6 filter output ct state established accept
nft add rule ip6 filter output ct state related accept
nft add rule ip6 filter output oif lo accept
nft add rule ip6 filter output ct state new counter accept

echo "Nftables Firewall is now ON ... relay"

exit 0

# /home/glenn/build/firewalls/nftfw-off.sh

#!/bin/bash

# /home/glenn/build/firewalls/nftfw-off.sh

nft -f /usr/share/doc/nftables/examples/syntax/ipv4-filter             #loads the ipv4 template table
nft -f /usr/share/doc/nftables/examples/syntax/ipv6-filter             #loads the ipv6 template table

nft flush table filter
nft flush table ip6 filter

echo "Nftables Firewall is now OFF"

exit 0

I hope this helps, Glenn

Marjorie · 2021-03-26 23:22:32

GlennW wrote:

Hi, my fw script is loaded by open-rc

It looks like this...

/home/glenn/build/firewall/fwautorun

#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO
............

Glenn, If you check earlier in this thread e.g. contribution #7 you'll see that for Default-Start/stop you would normally (at least in sysvinit) use:

# Default-Start:  S
# Default-Stop:   0 6

The reason to use S rather than 2 is that it executes as early as possible, which is a desirable feature of a firewall.

Is there no S level in open-rc?

GlennW · 2021-03-27 11:41:12

Thank you for the correction...

As far as I'm aware open-rc run levels are "default, off, recovery and sysinit."

I thought the commented lines in the above script were left there from the sys-v script the file was used for.

I still not completely sure how this works... sorry for butting in.

I didn't see those other posts this morning when I added my 2 cents worth.

But, I'm glad I found out some more about run levels and open-rc.

ifdv44 · 2021-03-27 11:53:55

Head_on_a_Stick wrote:

There are several kernel modules that provide the firewall functionality but the init script (or systemd unit file) is needed to load the user space process that actually runs the firewall.

That user space process being the nft "application" that reads in the rules and passes to the kernel part of nf_tables ?

Head_on_a_Stick · 2021-03-27 18:00:42

Yes, that's right.

ifdv44 · 2021-03-27 20:09:20

Head_on_a_Stick wrote:

Yes, that's right.

Cool. Thanks for confirming that. Another thing i'm starting to get my head around is fitting into place

einpoklum · 2021-10-12 19:55:39

For other readers of this thread: Note you may have other packages which install firewall rules (via nft or iptables-legacy or otherwise), which would conflict with the nft tables you want to load.

Actually, I'd say that it's kind of a problem that nft is highly visible, on the one hand, via /etc/nftables.conf; and the nftables is installed on account of network-manager (assuming you've installed that), but on the other hand - there is no associated service you could even query for status. Nor do you get any indication about how things might conflict with its use.

The officially official Devuan Forum!

#1 2019-06-11 20:35:18

[Solved] How to load nftables rules at boot?

#2 2019-06-11 21:22:57

Re: [Solved] How to load nftables rules at boot?

#3 2019-06-12 09:57:52

Re: [Solved] How to load nftables rules at boot?

#4 2019-06-12 10:31:10

Re: [Solved] How to load nftables rules at boot?

#5 2019-06-16 02:59:32

Re: [Solved] How to load nftables rules at boot?

#6 2020-04-21 22:07:05

Re: [Solved] How to load nftables rules at boot?

#7 2020-04-22 12:26:30

Re: [Solved] How to load nftables rules at boot?

#8 2020-04-22 14:34:44

Re: [Solved] How to load nftables rules at boot?

#9 2020-11-11 11:14:45

Re: [Solved] How to load nftables rules at boot?

#10 2020-11-12 13:36:50

Re: [Solved] How to load nftables rules at boot?

#11 2020-11-12 18:03:15

Re: [Solved] How to load nftables rules at boot?

#12 2021-03-26 18:02:45

Re: [Solved] How to load nftables rules at boot?

#13 2021-03-26 18:15:29

Re: [Solved] How to load nftables rules at boot?

#14 2021-03-26 22:40:56

Re: [Solved] How to load nftables rules at boot?

#15 2021-03-26 23:22:32

Re: [Solved] How to load nftables rules at boot?

#16 2021-03-27 11:41:12

Re: [Solved] How to load nftables rules at boot?

#17 2021-03-27 11:53:55

Re: [Solved] How to load nftables rules at boot?

#18 2021-03-27 18:00:42

Re: [Solved] How to load nftables rules at boot?

#19 2021-03-27 20:09:20

Re: [Solved] How to load nftables rules at boot?

#20 2021-10-12 19:55:39

Re: [Solved] How to load nftables rules at boot?

Board footer