Hands-on lab for nftables on Ubuntu

For this lab, you'll need a clean snapshot of your Ubuntu 18.04 virtual machine:

1. Restore your Ubuntu virtual machine to a clean snapshot to clear out any firewall configurations that you created previously. (Or, if you prefer, start with a new virtual machine.) Disable ufw and verify that no firewall rules are present:

sudo systemctl disable --now ufw
sudo iptables -L

You should see no rules listed for iptables.

2. Install the nftables package:

sudo apt install nftables

3. Copy the workstation template over to the /etc directory and rename it nftables.conf:

sudo cp /usr/share/doc/nftables/examples/syntax/workstation /etc/nftables.conf

4. Edit the /etc/nftables.conf file to create your new configuration. (Note that due to formatting constraints, I have to break this into three different code blocks.) Make the top portion of the file look like this:

#!/usr/sbin/nft -f flush ruleset
table inet filter {
        chain prerouting {
                type filter hook prerouting priority 0;
                ct state invalid counter log prefix "Invalid Packets:  " drop

                tcp flags & (fin|syn|rst|ack) != syn ct state new counter log prefix "Invalid Packets 2: " drop
        }

5. Make the second portion of the file look like this:

chain input {
  type filter hook input priority 0;
  # accept any localhost traffic
  iif lo accept
  # accept traffic originated from us
  ct state established,related accept
                # activate the following line to accept common local services
                tcp dport 22 ip saddr { 192.168.0.7, 192.168.0.10 } log prefix "Blocked SSH packets: " drop

                tcp dport { 22, 53 } ct state new accept
                udp dport 53 ct state new accept
                ct state new,related,established icmp type { destination-unreachable, time-exceeded, parameter-problem } accept

6. Make the final portion of the file look like this:

ct state new,related,established icmpv6 type { destination-unreachable, time-exceeded, parameter-problem } accept

                # accept neighbour discovery otherwise IPv6 connectivity breaks.
                ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

                # count and drop any other traffic
                counter log prefix "Dropped packet: " drop
        }
}

7. Save the file and reload nftables:

sudo systemctl reload nftables

8. View the results:

sudo nft list tables
sudo nft list tables
sudo nft list table inet filter
sudo nft list ruleset

9. From either your host computer or from another virtual machine, do a Windows scan against the Ubuntu virtual machine: 

sudo nmap -sW ip_address_of_UbuntuVM

10. Look at the packet counters to see which blocking rule was triggered (hint: it's in the prerouting chain):

sudo nft list ruleset

11. This time, do a null scan of the virtual machine:

sudo nmap -sN ip_address_of_UbuntuVM

12. Finally, look at which rule was triggered this time (hint: it's the other one in the prerouting chain):

sudo nft list ruleset

13. In the /var/log/kern.log file, search for the Invalid Packets text string to view the messages about the dropped invalid packets.

That's the end of this lab – congratulations!

In this section, we looked at the ins and outs of nftables, and looked at ways to configure it to help prevent certain types of attacks. Next, we'll turn our attention to the mysteries of firewalld.