6.4 KiB
| title | date | url | layout | category | image | description |
|---|---|---|---|---|---|---|
| From Stretch to Buster : How to migrate from iptables to nftables ? | 2020-01-17 | from-stretch-to-buster-how-to-migrate-from-iptables-to-nftables | post | Tutorials | /img/blog/from-stretch-to-buster-how-to-migrate-from-iptables-to-nftables.png | A step-by-step tutorial for a(nother) not-so-guided Debian migration |
Introduction
So here is a hot take : You have just ended your migration to Debian Buster and were pretty chocked by some warnings about firewall deep changes ?
Well, you're right.
There is plenty of documentation addressing this deprecation on the WWW, but what about a step-by-step guide summing up the whole idea behind this migration ?
The procedure
nftables installation
{% highlight bash %} apt install nftables {% endhighlight %}
Pretty easy for a first step, huh ?
Convert your existing legacy rules
{% highlight bash %} (iptables-save ; ip6tables-save) > iptables.rules iptables-restore-translate -f iptables.rules > some_unreadable_rules.sh {% endhighlight %}
(Re-)write your own rules
The step above is actually a "stupid" syntax converter from iptables to nft, without a real extensive "processing" to optimize them.
So at this moment, you may wanna rewrite your existing rules.
I'd advise you the official guide, some of the below examples and some others packaged and already available right from your shell :
{% highlight bash %} nano /usr/share/doc/nftables/examples/*.nft {% endhighlight %}
OMG, did that guy really used
nanoin its snippet ? 😨
- I don't care very much about what people think ;
nanogot by default a syntax highlighting fornftables😛
EDIT 2020-03-07 : I've (finally) written a syntax definition for Sublime Text 3+, it's available here.
Jump in
At this step, I assume you got some pretty clean nftables rules set under /etc/nftables.conf (the default packaged location).
We will first be checking whether they actually pass the nft validation procedure :
{% highlight bash %} nft -c -f /etc/nftables.conf {% endhighlight %}
If that's the case :
{% highlight bash %} systemctl enable --now nftables.service {% endhighlight %}
If you're working on a remote server, at this step, I really hope that your SSH connection is still running 😄
Post-configuration : The whole system
Well, you got brand new rules set and running, but there may be some cave-eats : Other pieces of software.
Typically, you are maybe running a quiet Fail2Ban instance, and on its side, it will be still using the legacy iptables layer.
Fixing this issue is pretty straightforward (if you got a filter table with an input chain already defined) :
- {% highlight bash %}
- nano /etc/fail2ban/jail.local
- '
...
banaction = nftables-multiport
...
'
You will maybe have to restart it completely, as...
... its chain(s) might have disappeared when you flushed your iptables rules.
systemctl restart fail2ban.service {% endhighlight %}
You got the point : This was a friendly reminder for the other services, that will probably keep messing with iptables behind your back...
EDIT 2020-03-25 : If you are a virtualization guy, please notice that libvirt does not support nftables yet. Docker is working well on Buster, but full nftables support is still expected.
Getting rid of legacy iptables
{% highlight bash %}
If you used the handy netfilter-persistent package :
apt autoremove --purge iptables-persistent
Kernel modules
- nano /etc/modprobe.d/iptables-blacklist.conf
- ' blacklist x_tables blacklist iptable_nat blacklist iptable_raw blacklist iptable_mangle blacklist iptable_filter blacklist ip_tables blacklist ipt_MASQUERADE blacklist ip6table_nat blacklist ip6table_raw blacklist ip6table_mangle blacklist ip6table_filter blacklist ip6_tables ' {% endhighlight %}
(Optional) Make Buster "nickel-chrome"
When we upgrade from Stretch to Buster, the upgrade process might have tweaked a bit your setup to keep it backward compatible with potential existing iptables rules.
As we now use the default framework shipped in and advised by the Debian community, we may rollback to what a fresh Buster should look like :
{% highlight bash %}
The idea is to make *tables scripts now (re-)pointing to *tables-nft ones.
From official documentation : https://wiki.debian.org/nftables#Current_status
update-alternatives --set iptables /usr/sbin/iptables-nft update-alternatives --set ip6tables /usr/sbin/ip6tables-nft update-alternatives --set arptables /usr/sbin/arptables-nft update-alternatives --set ebtables /usr/sbin/ebtables-nft {% endhighlight %}
Conclusion
Well, you'd have understood, the real idea behind this is to take some time to fully rewrite its own firewall using this "new" tool.
It might also be a good time to review existing rules, to decide whether they are still required or not, and maybe to optimize them with the awesome features brought by nftables.