Linux Tutorials - Herong's Tutorial Examples - v5.44, by Herong Yang
"nftables" and "nft" on CentOS
This section provides a tutorial example on how to use 'nftables' daemon and 'nft' CLI to manage network firewall on CentOS 8 systems.
The best tool to manage the network firewall on CentOS systems is the "firewall-cmd" frontend tool. But if you want to use the backend tool, you can follow this tutorial to use the "nftables" daemon and "nft" command.
1. Make sure that I have the latest version of "nftables" installed with the "dnf info" command:
herong$ sudo dnf info nftables Installed Packages Name : nftables Epoch : 1 Version : 0.9.0 Release : 14.el8 Architecture : x86_64 Size : 848 k Source : nftables-0.9.0-14.el8.src.rpm Repository : @System From repo : anaconda Summary : Netfilter Tables userspace utilities URL : http://netfilter.org/projects/nftables/ License : GPLv2 Description : Netfilter Tables userspace utilities.
2. Make sure that "nftables" service is running with the "systectl status" command:
herong$ sudo systemctl status nftables
nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled;
vendor preset: disabled)
Active: inactive (dead)
Docs: man:nft(8)
herong$ sudo systemctl enable nftables
Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service ...
herong$ sudo systemctl start nftables
herong$ sudo systemctl status nftables
nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; ...
Active: active (exited)
Docs: man:nft(8)
Process: 5226 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
Main PID: 5226 (code=exited, status=0/SUCCESS)
3. List all rule tables with the "nft" command.
herong$ sudo nft list tables table ip filter table ip6 filter table bridge filter table ip security table ip raw table ip mangle table ip nat table ip6 security table ip6 raw table ip6 mangle table ip6 nat table bridge nat table inet firewalld table ip firewalld table ip6 firewalld
4. List all rules in the "ip/firewalld" table with the "nft" command.
herong$ sudo nft list table ip firewalld | more
table ip firewalld {
chain nat_PREROUTING {
type nat hook prerouting priority -90; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_ZONES {
iifname "virbr0" goto nat_PRE_libvirt
iifname "eno1" goto nat_PRE_public
goto nat_PRE_public
}
chain nat_POSTROUTING {
type nat hook postrouting priority 110; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_ZONES {
oifname "virbr0" goto nat_POST_libvirt
oifname "eno1" goto nat_POST_public
goto nat_POST_public
}
chain nat_PRE_public {
...
As you can see, the syntax of firewall security rules used by "nft" is more complicated than the "firewall-cmd".
Table of Contents
Cockpit - Web Portal for Administrator
SELinux - Security-Enhanced Linux
Setup Ethernet Connection on CentOS
Network Firewall Tools on CentOS
"firewalld" and "firewall-cmd" on CentOS
Manage Multiple Firewall Zones
►"nftables" and "nft" on CentOS
"nmap" - Network Mapper on CentOS
Monitor Network Services on CentOS
"ifconfig" - Trace Routes to Remote Host
"traceroute" - Trace Routes to Remote Host
"netstat" - Display Network Statistics
SSH Protocol and ssh/scp Commands
Software Package Manager on CentOS - DNF and YUM
vsftpd - Very Secure FTP Daemon