Overview

For this challenge we’ve been tasked with migrating systems to use the nftables firewall. We will need to enable the service, configure the rules, and enable logging on the Domain Controller.

Uninstall Iptables

To clear the iptables policies we’ll run the following commands (as root):

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

Uninstall iptables

sudo apt remove iptables

Repeat these steps for the Fileshare host.

Enable Nftables Service

First, we need to install nftables

sudo apt install nftables

Then we’ll start and enable the service

sudo systemctl start nftables
sudo systemctl enable nftables

Note: When installing nftables on the Fileshare machine it installs it as an init.d package. We’ll need to move the daemon from /etc/init.d/ to /etc/systemd/system/

Filtering Traffic

We can view the iptables rules by reading the file on the desktop

To create the rules in nftables we’ll need to create a table and chain.

To create the table run the command:

nft add table inet filter

To create the chain:

nft add chain inet filter input { type filter hook input priority 0 ; policy drop ; }

To create rules in nftables the command syntax is:

nft add rule

We need to allow HTTP, HTTPS, and SSH traffic, so our rules will be:

sudo nft add rule inet filter input tcp dport 80 accept
sudo nft add rule inet filter input tcp dport 443 accept
sudo nft add rule inet filter input tcp dport 22 log prefix "SSH DETECTED" accept

We can use the sudo nft list ruleset command to list the current rules.

To load these rules whenever the system reboots / the nftables service restarts we’ll need to add them to the configuration file.