Arch Linux comes with IPv6 enabled by default, so firewall rules must also cover IPv6 traffic. While iptabels and ip6tables are traditional tools, nftables handles both IPv4 and IPv6 through the inet address family or separate ip and ip6 tables. A graphical interface for managing both is firewalld.
- Basic Firewall Configuration
The configuration file /etc/nftables.conf holds a simple and secure setup for nftables. When the service starts, it loads rules from this file. To view current rules:
$ sudo nft list ruleset
This will show a table named inet filter with three chains: input, forward, and output. The input chain includes six rules:
- Allow established and related connections
- Drop invalid packets
- Accept loopback traffic
- Allow ICMP traffic
- Allow SSH access
- Reject everything else
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established, related counter accept
ct state invalid counter drop
iif lo accept
ip protocol icmp counter accept
tcp dport 22 counter accept
counter reject
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
- Typical Workstation Rules (IPv4 and IPv6 Separated)
This example separates IPv4 and IPv6 rules into distinct tables:
#!/bin/nft -f
flush ruleset
# IPv4
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
ip protocol icmp counter accept comment "accept all ICMP types"
tcp dport 22 counter accept comment "accept SSH"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}
chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
}
# IPv6
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
tcp dport 22 counter accept comment "accept SSH"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}
chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
}
Save this to /etc/nftables.conf and restart the nftables service to activate:
$ sudo systemctl restart nftables.service
- Modifying Firewall Rules
To adjust rules, either edit the configuration file directly or use command-line tools:
-
Add a rule: ``` $ sudo nft add rule inet filter input tcp dport 8080 accept
-
Insert a rule at a specific position: ``` $ sudo nft insert rule inet filter input handle 2 tcp dport 8080 accept
-
Delete a rule: First identify its handle: ``` $ sudo nft --handle list ruleset $ sudo nft delete rule inet filter input handle 10
For atomic updates:
-
Flush current rules: ``` $ sudo echo "flush ruleset" > /tmp/nftables
-
Dump existing rules: ``` $ sudo nft -s list ruleset >> /tmp/nftables
-
Edit
/tmp/nftablesand reload: ``` $ sudo nft -f /tmp/nftables
Address Families:
ip: IPv4ip6: IPv6inet: Combined IPv4/IPv6arp: ARP packetsbridge: Bridge devicesnetdev: Ingress packets
- Disable iptables and Enable nftables
$ sudo systemctl disable iptables.service
$ sudo systemctl disable ip6tables.service
$ sudo systemctl enable nftables.service
- Further Resources