oBuTr471b · February 8, 2021 04:17
diff --git a/nft1: introduction b/nft1: introduction
 # In The Name Of Allah .
 # -- --- ---- -- ----- -
 # Fri Jan 22 05:48:48 2021
 # Written By : zer0err0r .
 # ======= == = ========= =

 # 1, Introducing NFTables On CentOS 8 .
  = Its the default NetFilter frontend in CentOS8 .
  = I mean, The default firewall on CentOS8 [FirewallD] uses NFTables as a backend .
  = In CentOS7 it was [Netfilter <= IPTables <= FirewallD] .
  = Now In CentOS8 its [Netfilter <= NFTables <= FirewallD] .

  # NFTables vs IPTables :
    = NFTables is the new default instead of IPTables, And it has been part of the linux kernel since 2014 .
    = The way that NFTables works is like IPTables, Except for several differences that makes NFTables better .
    = One of them is that there are no predefined base chains, I mean like [INPUT, OUTPUT, FORWARD, PREROUTING...] .
    = Also, NFTables combines [ipv4] and [ipv6] rules into a type called [inet] ,
    = Which means that you dont have to write a rule for ipv4, And then another rule for ipv6 .

  # IPTables is still available :
    = IPTables is used by many other distros, Its not dead yet .
    = In fact, IPTables is still available on CentOS_83 .
    = But, FirewallD uses NFTables as a backend instead of IPTables .
    = Just execute the following commands to understand what I mean :
      $ firewall-cmd --list-services
      $ iptables -L
      $ nftables list ruleset | grep -i 22

    # Now, As you see :
      = Port [22] of SSH is defined in FirewallD and NFTables .
      = Also you will see that NFTables has a tall output [same as IPTables in CentOS7] .
      = Also you will see that IPTables is empty and [ACCEPT]s everything .

    # Notice :
      = If you got a tall output of [IPTables] in your lets say CentOS or Fedora ,
      = Then try to find [SSH] rule, You wont find it with IPTables ,
      = You will find it only with NFTables and FirewallD rules .

  
  # What we will do ISA :
    = We will create a basic stateful_packet_inspection[SPI] firewall, And enable SSH connections only .
    = In order to do that with IPTables, You will execute the following :
      $ iptables -P INPUT ACCEPT
      $ iptables -F
      $ iptables -A INPUT -i lo -j ACCEPT
      $ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      $ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
      $ iptables -P INPUT DROP
      $ iptables -P FORWARD DROP
      $ iptables -P OUTPUT ACCEPT

  
  # Before we start :
    = We will work with a command called [nft] .
    = This command needs a privileged user to deal with, So :
      $ sudo -i

    # Also :
      = In order to use IPTables instead of FirewallD, You need to [disable] FirewallD service and [mask] it .
      = Now, The same idea is with NFTables, Change into [root] then execute the following ,
      $ systemctl disable --now firewalld
      $ systemctl mask firewalld

    # Then clear pre-existing firewalld ruleset :
      $ nft list ruleset
      $ nft flush ruleset



 # Useful Links :
  = [https://medium.com/@iced_burn/compare-firewalld-iptables-nftables-netfilter-de08a8d21b5b] .
  = [https://serverfault.com/questions/996664/firewalld-is-not-working-in-centos-8-no-rule-at-all-is-created-in-iptables] .
  = Mustafa hamouda IPTables sessions :
    - 1, [https://www.youtube.com/watch?v=sqFP4Lfpv5Y&list=PLCIJjtzQPZJ_10_h-jzD299qkg_IuoT-5&index=20] .
    - 2, [https://www.youtube.com/watch?v=1a844gLdZ1k&list=PLCIJjtzQPZJ_10_h-jzD299qkg_IuoT-5&index=21] .
    - 3, [https://www.youtube.com/watch?v=3ztI5-7IciY&list=PLCIJjtzQPZJ_10_h-jzD299qkg_IuoT-5&index=22] .

 # ===== == ==== ======== =
 # Peace Be Up0n Muhammed .
	# In The Name Of Allah .
	# -- --- ---- -- ----- -
	# Fri Jan 22 05:48:48 2021
	# Written By : zer0err0r .
	# ======= == = ========= =

	# 1, Introducing NFTables On CentOS 8 .
	= Its the default NetFilter frontend in CentOS8 .
	= I mean, The default firewall on CentOS8 [FirewallD] uses NFTables as a backend .
	= In CentOS7 it was [Netfilter <= IPTables <= FirewallD] .
	= Now In CentOS8 its [Netfilter <= NFTables <= FirewallD] .

	# NFTables vs IPTables :
	= NFTables is the new default instead of IPTables, And it has been part of the linux kernel since 2014 .
	= The way that NFTables works is like IPTables, Except for several differences that makes NFTables better .
	= One of them is that there are no predefined base chains, I mean like [INPUT, OUTPUT, FORWARD, PREROUTING...] .
	= Also, NFTables combines [ipv4] and [ipv6] rules into a type called [inet] ,
	= Which means that you dont have to write a rule for ipv4, And then another rule for ipv6 .

	# IPTables is still available :
	= IPTables is used by many other distros, Its not dead yet .
	= In fact, IPTables is still available on CentOS_83 .
	= But, FirewallD uses NFTables as a backend instead of IPTables .
	= Just execute the following commands to understand what I mean :
	$ firewall-cmd --list-services
	$ iptables -L
	$ nftables list ruleset \| grep -i 22

	# Now, As you see :
	= Port [22] of SSH is defined in FirewallD and NFTables .
	= Also you will see that NFTables has a tall output [same as IPTables in CentOS7] .
	= Also you will see that IPTables is empty and [ACCEPT]s everything .

	# Notice :
	= If you got a tall output of [IPTables] in your lets say CentOS or Fedora ,
	= Then try to find [SSH] rule, You wont find it with IPTables ,
	= You will find it only with NFTables and FirewallD rules .


	# What we will do ISA :
	= We will create a basic stateful_packet_inspection[SPI] firewall, And enable SSH connections only .
	= In order to do that with IPTables, You will execute the following :
	$ iptables -P INPUT ACCEPT
	$ iptables -F
	$ iptables -A INPUT -i lo -j ACCEPT
	$ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	$ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
	$ iptables -P INPUT DROP
	$ iptables -P FORWARD DROP
	$ iptables -P OUTPUT ACCEPT


	# Before we start :
	= We will work with a command called [nft] .
	= This command needs a privileged user to deal with, So :
	$ sudo -i

	# Also :
	= In order to use IPTables instead of FirewallD, You need to [disable] FirewallD service and [mask] it .
	= Now, The same idea is with NFTables, Change into [root] then execute the following ,
	$ systemctl disable --now firewalld
	$ systemctl mask firewalld

	# Then clear pre-existing firewalld ruleset :
	$ nft list ruleset
	$ nft flush ruleset



	# Useful Links :
	= [https://medium.com/@iced_burn/compare-firewalld-iptables-nftables-netfilter-de08a8d21b5b] .
	= [https://serverfault.com/questions/996664/firewalld-is-not-working-in-centos-8-no-rule-at-all-is-created-in-iptables] .
	= Mustafa hamouda IPTables sessions :
	- 1, [https://www.youtube.com/watch?v=sqFP4Lfpv5Y&list=PLCIJjtzQPZJ_10_h-jzD299qkg_IuoT-5&index=20] .
	- 2, [https://www.youtube.com/watch?v=1a844gLdZ1k&list=PLCIJjtzQPZJ_10_h-jzD299qkg_IuoT-5&index=21] .
	- 3, [https://www.youtube.com/watch?v=3ztI5-7IciY&list=PLCIJjtzQPZJ_10_h-jzD299qkg_IuoT-5&index=22] .

	# ===== == ==== ======== =
	# Peace Be Up0n Muhammed .