Migration to nftables : from ipset and bogons
We’re in 2019 and it’s time to turn the page about iptables and do a warm welcome to nftables.
In this post, you will look few things about this migration. In addition, you’ll find the link to my repository where you have a shell script ready to use to update your bogons’ sets.
Quick remembers about the initial setup
I use ipset and iptables to manage this big filter :
- ipset: manage all bogons range IP
- iptables to do the filter on forward, input (prerouting), and output
If you want more information about it : Using ipset and iptables to block full bogons
Why is it important to migrate to nftables?
nftables will read in all of the included config files, create the config object in memory alongside the existing config, and then in one atomic operation it swaps the old config for the new one meaning there is no moment when the firewall is partially configured - https://wiki.nftables.org/wiki-nftables/index.php/Atomic_rule_replacement
From ipset to sets
With nftables, it’s impossible to use ipset, we need to implement it in sets (native in nftables).
I init it with an element but it’s facultative. In other words, you just need to remove the line “elements = { 0.0.0.0/8 }”.
From iptables to nftables
I won’t rewrite all my README from my git repository but just the most strange.
By default, no RAW PREROUTING chain exists, you need to create it, it’s like just a PREROUTING in the table filter.
I told you that RAW doesn’t exist … It’s the hard part in nftables when you come from iptables.
Where is the code?
On GitHub: bogons_nftables
You’ll find my bash script to automatically update sets with new fullbogons from Team Cymru
I hope this can help you 😉