Set up a firewall on Debian 11 or newer using nftables

Nftable is the new tool for firewall configuration in newer Debian releases.

Having a functional firewall on the server is an important step in security work. In this guide, we will create a basic firewall that you can later extend with your own rules. The guide assumes a newly installed Cloud VM running Debian 11. If you want to set up a firewall on Ubuntu 22.04, we have a guide for that here: "Set up a firewall on Ubuntu 22.04 or newer using UFW".

In Debian 11 and newer, iptables has been replaced by nftables. There are several advantages to nftables, including the ability to create rules that apply to both IPv4 and IPv6. The syntax in nftables is also somewhat simplified. Another benefit is that there is a ready‑made file where we can place the rules, and a ready‑made systemd unit to start and stop the firewall.

Activate the firewall

All the required programs are already installed on Debian 11. However, you still need to enable and start the firewall. Do this with the following two commands:

Multiple commands

sudo systemctl enable nftables.service
sudo systemctl start nftables.service

Now you can test that the firewall is working by listing the rules. By default, nothing is filtered, but Debian provides a basic configuration for input, forward, and output. List the rules with the command:

Command

sudo nft list ruleset

The output should look similar to this:

Output

table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

The basic configuration we see above comes from the file /etc/nftables.conf, confirming that nftables is working. If you display the contents of that file, it will match the output from the command you just ran. You can try this with cat /etc/nftables.conf. The output should be:

/etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;
        }
        chain forward {
                type filter hook forward priority 0;
        }
        chain output {
                type filter hook output priority 0;
        }
}

Create firewall rules

Now it’s time to add some firewall rules. The rules we’ll create here, in this example, allow incoming traffic for SSH, HTTP, and HTTPS. We'll also permit ICMP ("ping") and traceroute. To make IPv6 work, we'll allow both ICMP and the "next header". For the local loopback interface (lo), we'll allow all traffic. To ensure that the traffic we initiate ourselves—from the server—works correctly, we'll also allow incoming traffic that is related to or part of an already established connection.

For outbound traffic from the server, we'll also allow HTTP, HTTPS, ICMP ("ping"), and traceroute. To enable name resolution, we'll allow DNS queries on UDP port 53. We'll also allow NTP queries on UDP port 123 for time synchronization.

The final rule for both inbound and outbound traffic is a rule that drops (drop) all traffic. Rules are evaluated in the order they appear, so the rules that allow traffic will be processed before the final rule that blocks everything.

All of these rules apply to both IPv4 and IPv6—except for the special rules for ICMPv6 and "next header," which apply only to IPv6.

Add the rules to the file /etc/nftables.conf. Open the file with nano or vi and edit it so that it looks like the example below (the file is owned by root, so you need to open it with sudo nano /etc/nftables.conf or sudo vi /etc/nftables.conf).

/etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;
                # accept all traffic on the lo interface (localhost)
                iif lo accept

                # accept incoming traffic that was initiated by us
                ct state established,related accept

                # accept incoming connections to SSH, HTTP, and HTTPS
                tcp dport { 22, 80, 443 } ct state new counter accept

                # allow incoming traceroute
                udp dport 33434-33524 ct state new counter accept

                # allow "next header" and ping over IPv6, otherwise we lose IPv6 connectivity
                ip6 nexthdr icmpv6 counter accept

                # allow incoming icmp (ping) over IPv4
                ip protocol icmp counter accept

                # block (and count) all other incoming traffic
                counter drop
        }
        chain forward {
                type filter hook forward priority 0;
        }
        chain output {
                type filter hook output priority 0;
                # accept all traffic on the lo interface (localhost)
                iif lo accept

                # acceptera all utgående trafik som redan har initierats
                ct state established,related accept

                # accept all outgoing traffic to HTTP and HTTPS
                tcp dport { 80, 443 } ct state new counter accept

                # accept outgoing requests to DNS servers and NTP servers
                udp dport { 53, 123 } ct state new counter accept

                # allow traceroute
                udp dport 33434-33524 ct state new counter accept

                # allow "next header" and ping over IPv6, otherwise we lose IPv6 connectivity
                ip6 nexthdr icmpv6 counter accept

                # allow icmp (ping) over IPv4
                ip protocol icmp counter accept

                # block (and count) all other outgoing traffic
                counter drop
        }
}

After you have added all the rules and saved the file, reload the firewall rules for them to take effect. Do this with the systemctl command:

Command

sudo systemctl reload nftables.service

Now, let's verify that it works with sudo nft list ruleset. The output should be:

Output

table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
                iif "lo" accept
                ct state established,related accept
                tcp dport { 22, 80, 443 } ct state new counter packets 2 bytes 84 accept
                udp dport 33434-33524 ct state new counter packets 0 bytes 0 accept
                ip6 nexthdr ipv6-icmp counter packets 0 bytes 0 accept
                ip protocol icmp counter packets 0 bytes 0 accept
                counter packets 17 bytes 1321 drop
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
                iif "lo" accept
                ct state established,related accept
                tcp dport { 80, 443 } ct state new counter packets 0 bytes 0 accept
                udp dport { 53, 123 } ct state new counter packets 0 bytes 0 accept
                udp dport 33434-33524 ct state new counter packets 0 bytes 0 accept
                ip6 nexthdr ipv6-icmp counter packets 0 bytes 0 accept
                ip protocol icmp counter packets 0 bytes 0 accept
                counter packets 0 bytes 0 drop
        }
}

In some of the lines of the output, you’ll see counter packets 2 bytes 84. This counter tracks how many packets have matched that rule and their total size. If you don’t need to count packets, remove the keyword counter from the rules in /etc/nftables.conf. If you don’t want to open nftables.conf in a text editor and edit it manually, you can do it automatically with the following sed command:

Command

sudo sed -i 's/counter//g' /etc/nftables.conf

If you make changes to the /etc/nftables.conf file, you must reload the firewall rules again with sudo systemctl reload nftables.service for the changes to take effect.

Make temporary changes

Changes you make in /etc/nftables.conf are permanent and are loaded automatically when the server reboots. However, sometimes you might need to create temporary rules—for example, during testing or when experimenting with new services. In those cases, you can use the nft add rule command. These rules are temporary; they disappear after a reboot.

New rules added with nft add rule are placed at the end of the list, i.e., after the rule that blocks all traffic. Therefore, you need to be able to insert rules at specific positions in the list. Start by listing all the rules again, this time adding the -a flag.

Command

sudo nft -a list ruleset

The output now includes numbered handles that you can use:

Output

table inet filter { # handle 13
        chain input { # handle 1
                type filter hook input priority filter; policy accept;
                iif "lo" accept # handle 7
                ct state established,related accept # handle 8
                tcp dport { 22, 80, 443 } ct state new counter packets 0 bytes 0 accept # handle 9
                udp dport 33434-33524 ct state new counter packets 0 bytes 0 accept # handle 10
                ip6 nexthdr ipv6-icmp counter packets 0 bytes 0 accept # handle 11
                ip protocol icmp counter packets 0 bytes 0 accept # handle 12
                counter packets 0 bytes 0 drop # handle 13
        }

        chain forward { # handle 2
                type filter hook forward priority filter; policy accept;
        }

        chain output { # handle 3
                type filter hook output priority filter; policy accept;
                iif "lo" accept # handle 14
                ct state established,related accept # handle 15
                tcp dport { 80, 443 } ct state new counter packets 0 bytes 0 accept # handle 16
                udp dport { 53, 123 } ct state new counter packets 0 bytes 0 accept # handle 17
                udp dport 33434-33524 ct state new counter packets 0 bytes 0 accept # handle 18
                ip6 nexthdr ipv6-icmp counter packets 0 bytes 0 accept # handle 19
                ip protocol icmp counter packets 0 bytes 0 accept # handle 20
                counter packets 0 bytes 0 drop # handle 21
        }
}

In this example, we'll add a new rule to allow incoming traffic on TCP port 8080 (http‑alt), then remove it again. Place the rule after the traceroute rule—that is, after handle 10. Do this with:

Command

sudo nft add rule inet filter input handle 10 tcp dport 8080 accept

Let's list the rules again, but this time limit the list to the input rules. The new rule should be placed after handle 10:

Command

sudo nft -a list chain inet filter input

Output

table inet filter {
        chain input { # handle 1
                type filter hook input priority filter; policy accept;
                iif "lo" accept # handle 7
                ct state established,related accept # handle 8
                tcp dport { 22, 80, 443 } ct state new counter packets 12 bytes 568 accept # handle 9
                udp dport 33434-33524 ct state new counter packets 0 bytes 0 accept # handle 10
                tcp dport 8080 accept # handle 22
                ip6 nexthdr ipv6-icmp counter packets 15 bytes 1080 accept # handle 11
                ip protocol icmp counter packets 0 bytes 0 accept # handle 12
                counter packets 184 bytes 21043 drop # handle 13
        }
}

To delete the rule again, use its handle, 22:

sudo nft delete rule inet filter input handle 22

If you lock yourself out by mistake

Be careful when loading new firewall rules so you don’t lock yourself out of the SSH service (TCP port 22). If you do accidentally lock yourself out, you can log in through the console in Glesys Cloud. You’ll find it under Computer → Virtual machines. Click Actions next to your server’s name and select Console. Once you’re logged in, you can edit the /etc/nftables.conf file and fix the issue.

For more information on logging in to the console and booting the server in single-user mode, see Connect to the VM console.

PreviousSet up a firewall on Debian 9 using iptables NextSet up a firewall on Ubuntu 22.04 or newer using UFW

Last updated 7 months ago

Was this helpful?