CentOS Stream 9
Sponsored Link

Nftables : Enable Service2022/06/29

 
This is the Basic Operation of Nftables.
[1] On RHEL 9 / CentOS Stream 9, nftables is used as the default Firewalld backend.
[root@dlp ~]#
grep nftables /etc/firewalld/firewalld.conf

#       - nftables (default)
FirewallBackend=nftables
[2] If you use nftables directly, disable firewalld service to avoid that the different firewall services influence each other.
Furthermore, enable nftables.service that restores filtering ruleset when system restarts.
[root@dlp ~]#
systemctl disable --now firewalld

Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

[root@dlp ~]#
systemctl enable --now nftables

Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service.

# [nftables.service] restores ruleset from [/etc/sysconfig/nftables.conf]

[root@dlp ~]#
systemctl cat nftables.service

# /usr/lib/systemd/system/nftables.service
[Unit]
Description=Netfilter Tables
Documentation=man:nft(8)
Wants=network-pre.target
Before=network-pre.target

[Service]
Type=oneshot
ProtectSystem=full
ProtectHome=true
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

# [/etc/sysconfig/nftables.conf] has no setting by default

[root@dlp ~]#
cat /etc/sysconfig/nftables.conf

# Uncomment the include statement here to load the default config sample
# in /etc/nftables for nftables service.

#include "/etc/nftables/main.nft"

# To customize, either edit the samples in /etc/nftables, append further
# commands to the end of this file or overwrite it after first service
# start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'.
[3] If you switch to nftables service with using the ruleset configured on Firewalld, configure like follows.
# confirm Firewalld rules ( based on that firewalld is running )

[root@dlp ~]#
firewall-cmd --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# confirm current ruleset of nftables as the Firewalld backend

[root@dlp ~]#
nft list ruleset

table inet firewalld {
        chain mangle_PREROUTING {
                type filter hook prerouting priority mangle + 10; policy accept;
                jump mangle_PREROUTING_ZONES
        }

        chain mangle_PREROUTING_POLICIES_pre {
                jump mangle_PRE_policy_allow-host-ipv6
        }

        chain mangle_PREROUTING_ZONES {
                iifname "enp1s0" goto mangle_PRE_public
                goto mangle_PRE_public
        }

        chain mangle_PREROUTING_POLICIES_post {
        }
.....
.....

# output the current ruleset to [/etc/sysconfig/nftables.conf]

[root@dlp ~]#
nft list ruleset > /etc/sysconfig/nftables.conf
# disable firewalld service & enable nftables service

[root@dlp ~]#
systemctl disable --now firewalld

[root@dlp ~]#
systemctl enable --now nftables
# confirm ruleset

[root@dlp ~]#
nft list ruleset

table inet firewalld {
        chain mangle_PREROUTING {
                type filter hook prerouting priority mangle + 10; policy accept;
                jump mangle_PREROUTING_ZONES
        }

        chain mangle_PREROUTING_POLICIES_pre {
                jump mangle_PRE_policy_allow-host-ipv6
        }
.....
.....

# for example, it's possible to show settings of allowed services [services: cockpit dhcpv6-client ssh] on [firewalld] like follows

[root@dlp ~]#
nft list chain inet firewalld filter_IN_public_allow

table inet firewalld {
        chain filter_IN_public_allow {
                tcp dport 22 ct state { new, untracked } accept
                ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
                tcp dport 9090 ct state { new, untracked } accept
        }
}
Matched Content