nftables is a powerful packet filtering framework that replaces iptables in modern Linux systems. It offers improved performance, flexibility, and ease of configuration, making it ideal for managing network traffic. nftables operates on the netfilter framework, allowing you to define rules for packet filtering, network address translation (NAT), and more.
In this article, we’ll dive deep into how to use nftables to restrict VPN traffic to specific ports. This will allow for better control over your network, enhancing security by limiting the ports through which VPN traffic is allowed.
Prerequisites
Before we proceed with the implementation, ensure that:
You have a Linux system with nftables installed.
You have root or sudo privileges to modify firewall rules.
Your VPN server is set up and operational.
Understanding the Problem
Restricting VPN traffic to specific ports is a common requirement to ensure that only authorized traffic is allowed through your VPN server. For instance, if your VPN operates on a custom port or a commonly used port like UDP 1194 (OpenVPN default), you can use nftables to enforce this restriction.
The key steps include:
Setting up a basic nftables configuration.
Adding rules to allow traffic only on specific ports for VPN connections.
Logging or blocking unauthorized traffic.
Setting Up nftables
First, make sure that nftables is installed and active on your system. On most modern Linux distributions, nftables comes pre-installed, but you can verify this by running:
sudo systemctl status nftables
If it is not installed, you can install it using your distribution’s package manager. For example, on Debian-based systems, use:
sudo apt install nftables
Once nftables is installed, you can enable and start the service:
sudo systemctl enable nftables
sudo systemctl start nftables
To confirm that nftables is active, run:
sudo nft list ruleset
This will display the current rule set.
Creating a Basic nftables Configuration
The first step in restricting VPN traffic is to define a basic nftables configuration. Below is an example of a minimal configuration that sets up a table for filtering and adds a default policy of dropping all incoming and outgoing traffic, which we will later refine.
sudo nft add table inet filter
sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
sudo nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; }
This creates a table named filter and two chains—input and output—that will be used to handle incoming and outgoing traffic, respectively.
Allowing VPN Traffic on Specific Ports
Now, we will define rules that permit VPN traffic only on specific ports. Assume the VPN service operates on UDP port 1194 (the default for OpenVPN), and we want to allow this port while restricting all others.
First, allow VPN traffic on UDP port 1194:
sudo nft add rule inet filter input udp dport 1194 accept
Next, you might want to allow outgoing VPN traffic (if necessary):
sudo nft add rule inet filter output udp sport 1194 accept
These rules ensure that only traffic to and from UDP port 1194 is accepted, blocking all other traffic by default.
Blocking Unauthorized VPN Traffic
To ensure that traffic on unauthorized ports is blocked, add a rule to drop packets destined for any port other than the ones explicitly allowed. For example, to block all incoming traffic on ports other than 1194:
sudo nft add rule inet filter input udp dport != 1194 drop
Similarly, you can block outgoing traffic on ports other than 1194:
sudo nft add rule inet filter output udp sport != 1194 drop
Logging Unauthorized Access Attempts
It is often helpful to log attempts to access restricted ports. You can add a logging rule before the drop rule to monitor such activities. For example, to log dropped incoming traffic on any port other than 1194:
sudo nft add rule inet filter input udp dport != 1194 log prefix “Blocked VPN Traffic: ” drop
This rule logs any incoming traffic to ports other than 1194, making it easier to monitor unauthorized access attempts.
Verifying the nftables Configuration
Once you have added the rules, you can verify that your configuration is correct by listing the ruleset:
sudo nft list ruleset
This will display all active nftables rules. Ensure that your allow and drop rules for the VPN ports are present.
Persisting nftables Rules
By default, nftables rules are not persistent across reboots. To make them persistent, you need to save the configuration:
sudo nft list ruleset > /etc/nftables.conf
To ensure nftables loads this configuration on startup, enable the service:
sudo systemctl enable nftables
Now your rules will persist across reboots.
Advanced Configuration: Using Multiple VPN Ports
If your VPN setup uses multiple ports, you can extend the configuration by adding additional rules for each port. For example, to allow traffic on both UDP ports 1194 and 443:
sudo nft add rule inet filter input udp dport { 1194, 443 } accept
sudo nft add rule inet filter output udp sport { 1194, 443 } accept
This allows VPN traffic on both specified ports while blocking others.
Conclusion
Using nftables to restrict VPN traffic to specific ports provides better control over network access, enhancing security. By following these steps, you can configure nftables to allow VPN traffic only on designated ports, ensuring that unauthorized traffic is blocked and logged for further analysis.
