Replace iptables with nftables
-
It seems that iptables is being replaced with nftables (it's standard in Debian 10)
https://wiki.debian.org/nftables
Should I replace an iptables firewall with a nftables one?
Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.
Please read: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
Why a new framework?
The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..
What are the major differences?- In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.
- Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.
- nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.
- In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.
- This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.
-
Thanks for the info. We in fact want to move to ufw instead. It seems most users are more comfortable with ufw and not iptables which is too low level.
-
@girish I don't expect that to take too much time too, UFW's backend is iptables so really just sorting out the UFW cli / api should be relatively simple****
-
@girish Is it happening? Was looking to customize some settings but I'm not touching iptables.
-
Glad to know about it.
-
@girish UFW isn't really its own firewall, its a front end for iptables, and probably nftables.
-
@girish the main issue with ufw is that is doesn't support managing any rules in specific chains. (for example the important INPUT chain or the custom CLOUDRON chain).
We need ways for at least this to be able to fully manage the range of apps and services we need.
-
@robi In the recent release, we added a way to blacklist IPs and also whitelist additional ports. Do these two things cover most cases? https://docs.cloudron.io/networking/#firewall
-
@girish ooh that's great! I knew about the blocklist (bye-bye .cn) but not the whitelist.
can you add a udp port example to the whitelist docs?
I keep struggling to keep mosh accessible after a cloudron reboot and it would make sense to simply add mosh support to the default install. (thoughts?)
It's also not clear if IP port ranges are supported in the whitelist. (mosh ports listed as: 60000-60010 or 60000:60010 didn't work.)
Do I need to list all the ports in the range?
Also, why does the cloudron-firewall restart take so long? 15-20secs is disturbingly long.
json is ugh, does it make sense to also convert it to plain text like the blocklist?
-
@robi said in Replace iptables with nftables:
can you add a udp port example to the whitelist docs?
Currently, only tcp is supported. I will look into adding udp, it should be straightforward.
Also, why does the cloudron-firewall restart take so long? 15-20secs is disturbingly long.
I think that's the time the kernel is taking to add your blocklist to ipset. I imagine it's pretty big? How many entries does it have?
-
Currently, only tcp is supported. I will look into adding udp, it should be straightforward.
Hmm, then why am I seeing some of the udp ports I added?
I also see iptables -L | grep 50000:51000
what is this for? looks like a typo for mosh (60000-61000)I think that's the time the kernel is taking to add your blocklist to ipset. I imagine it's pretty big? How many entries does it have?
oh yes, 13,687 IPs in blocklist now (cn, ru), 25 seconds to load.
Life of Gratitude.
Life of CT Gifts -
@robi said in Replace iptables with nftables:
I also see iptables -L | grep 50000:51000
That's for the TURN server.
-
ooh that's usable for mosh too with the -p parameter.
let's just make mosh a default thing please!
