1 00:00:00,000 --> 00:00:11,640 In this lesson, you will learn about nftables, which is a modern replacement for the iptables 2 00:00:11,640 --> 00:00:18,219 command. You'll encounter it every once in a while, so you better know what it is about. 3 00:00:18,219 --> 00:00:26,120 So FirewallD manages nftables rules using firewall-cmd. And ufw is using the ufw command 4 00:00:26,120 --> 00:00:31,400 as a frontend. And that is convenient for easy setup. But if you really need to get 5 00:00:31,400 --> 00:00:40,119 access to detailed and advanced access control, nftables is the only way. And when using nftables, 6 00:00:40,119 --> 00:00:46,459 firewall-d or ufw need to be disabled. So let me show you how to first do the initial 7 00:00:46,459 --> 00:00:50,959 setup. I'm showing you the slide so you can work on it for yourself if you want to before 8 00:00:50,959 --> 00:00:58,040 I'm demonstrating. And after doing the initial setup, you can allow web traffic, for instance, 9 00:00:58,040 --> 00:01:08,000 using a configuration like this. Let me show you. So I need to install it using dnf install 10 00:01:08,000 --> 00:01:15,959 nftables. It's not installed by default, but with a simple command, it will be. And next, 11 00:01:15,959 --> 00:01:27,480 I'm using systemctl enable minus minus now nftables. And let's also use a systemctl stop 12 00:01:27,480 --> 00:01:36,800 firewall-d and a systemctl disable firewall-d. And to prevent any accidents, I'm also going 13 00:01:36,800 --> 00:01:42,599 to mask it so that if somebody thinks, hey, firewall-d, that needs to be started, you'll 14 00:01:42,599 --> 00:01:50,360 get an error message telling you that it is masked. Now I'm showing you nft list rule set, 15 00:01:50,360 --> 00:01:59,400 which is showing no rules at all. That's normal because we are just beginning. So in order to do 16 00:01:59,400 --> 00:02:09,080 so, I'm using nft add table inet web traffic. So the table is a collection of rules that I'm 17 00:02:09,080 --> 00:02:17,080 creating right here. And next, nft, between single quotes, add chain. Within a table, you create a 18 00:02:17,080 --> 00:02:25,119 chain, and a chain is a collection of rules. So in inet web traffic, I'm creating the chain with 19 00:02:25,119 --> 00:02:35,279 the name input. And the type is set to filter. And we need hook input priority filter to make 20 00:02:35,279 --> 00:02:41,960 it complete. And also we are going to set the policy to drop. Now here you can see that the 21 00:02:41,960 --> 00:02:49,320 syntax is JSON-like syntax. And you need curly braces and semicolons and single quotes. It's 22 00:02:49,320 --> 00:02:56,399 very easy to make a typo in here. And that is why in most situations, people are using easy frontends 23 00:02:56,679 --> 00:03:11,720 like firewalld. Now let's use nft add rule inet web traffic, input ct, state, related, established, 24 00:03:13,720 --> 00:03:20,839 accept. So what does that mean? That means that in this rule, we are going to accept answers to get 25 00:03:20,839 --> 00:03:34,039 back. And following that, I'm using nft add rule inet web traffic, input, tcp, deport, 80,443, 26 00:03:35,720 --> 00:03:42,880 accept. It's nice that you can specify a comma-separated list in this case. And now nft list 27 00:03:43,320 --> 00:03:55,720 ruleset inet web traffic is showing the configuration. And next, if I want to verify, I can use nft list 28 00:03:56,039 --> 00:04:03,039 ruleset. And that will be enough. This is showing all the rules that are currently available, nicely 29 00:04:03,039 --> 00:04:09,279 formatted in this input chain. And if you like that, then you are going to repeat the command nft list 30 00:04:09,279 --> 00:04:17,440 ruleset, and you write it to the configuration file etc nftables.conf. And then the only thing that you 31 00:04:17,440 --> 00:04:24,920 need to do is to restart. Now, I don't want to have any problems in the remaining lessons in this course. 32 00:04:25,160 --> 00:04:35,519 And for that reason, I'm going to finish this demo with a systemctl disable minus minus now on nftables. 33 00:04:35,519 --> 00:04:43,839 If you don't do that, you might get into trouble later on while following other videos in this course.