A missing blog post image

Introduction

So here is a hot take : You have just ended your migration to Debian Buster and were pretty chocked by some warnings about firewall deep changes ?
Well, you’re right.

There is plenty of documentation addressing this deprecation on the WWW, but what about a step-by-step guide summing up the whole idea behind this migration ?

The procedure

nftables installation

apt install nftables

Pretty easy for a first step, huh ?

Convert your existing legacy rules

(iptables-save ; ip6tables-save) > iptables.rules
iptables-restore-translate -f iptables.rules > some_unreadable_rules.sh

(Re-)write your own rules

The step above is actually a “stupid” syntax converter from iptables to nft, without a real extensive “processing” to optimize them.
So at this moment, you may wanna rewrite your existing rules.

I’d advise you the official guide, some of the below examples and some others packaged and already available right from your shell :

nano /usr/share/doc/nftables/examples/*.nft

OMG, did that guy really used nano in its snippet ? :fearful:

1) I don’t care very much about what people think ;
2) nano got by default a syntax highlighting for nftables :stuck_out_tongue:

EDIT 2020-03-07 : I’ve (finally) written a syntax definition for Sublime Text 3, it’s available here.

Jump in

At this step, I assume you got some pretty clean nftables rules set under /etc/nftables.conf (the default packaged location).
We will first be checking whether they actually pass the nft validation procedure :

nft -c -f /etc/nftables.conf

If that’s the case :

systemctl enable --now nftables.service

If you’re working on a remote server, at this step, I really hope that your SSH connection is still running :smile:

Post-configuration : The whole system

Well, you got brand new rules set and running, but there may be some cave-eats : Other pieces of software.
Typically, you are maybe running a quiet Fail2Ban instance, and on its side, it will be still using the legacy iptables layer.

Fixing this issue is pretty straightforward (if you got a filter table with an input chain already defined) :

nano /etc/fail2ban/jail.local
: '
# ...
banaction = nftables-multiport
# ...
'

# You will maybe have to restart it completely, as...
# ... its chain(s) might have disappeared when you flushed your iptables rules.
systemctl restart fail2ban.service

You got the point : This was a friendly reminder for the other services, that will probably keep messing with iptables behind your back…

EDIT 2020-03-25 : If you are a virtualization guy, please notice that libvirt does not support nftables yet. Docker is working well on Buster, but full nftables support is still expected.

Getting rid of legacy iptables

# If you used the handy `netfilter-persistent` package :
apt autoremove --purge iptables-persistent

# Kernel modules
nano /etc/modprobe.d/iptables-blacklist.conf
: '
blacklist x_tables
blacklist iptable_nat
blacklist iptable_raw
blacklist iptable_mangle
blacklist iptable_filter
blacklist ip_tables
blacklist ipt_MASQUERADE
blacklist ip6table_nat
blacklist ip6table_raw
blacklist ip6table_mangle
blacklist ip6table_filter
blacklist ip6_tables
'

(Optional) Make Buster “nickel-chrome”

When we upgrade from Stretch to Buster, the upgrade process might have tweaked a bit your setup to keep it backward compatible with potential existing iptables rules.
As we now use the default framework shipped in and advised by the Debian community, we may rollback to what a fresh Buster should look like :

# The idea is to make `*tables` scripts now (re-)pointing to `*tables-nft` ones.
# From official documentation : <https://wiki.debian.org/nftables#Current_status>
update-alternatives --set iptables /usr/sbin/iptables-nft
update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
update-alternatives --set arptables /usr/sbin/arptables-nft
update-alternatives --set ebtables /usr/sbin/ebtables-nft

Conclusion

Well, you’d have understood, the real idea behind this is to take some time to fully rewrite its own firewall using this “new” tool.
It might also be a good time to review existing rules, to decide whether they are still required or not, and maybe to optimize them with the awesome features brought by nftables.

Sources (as long as some inspiring examples)