The nftables firewall is a good alternative to iptables. This has better performance than the old iptables system. To install this on Ubuntu 18.04, run this command.
4.4 Thu Sep 12 jason@Yog-Sothoth 0: $ sudo apt install nftables |
Edit the /etc/nftables.conf file to remove the existing rules from the ruleset.
The file should look like this.
#!/usr/sbin/nft -f
flush ruleset |
There are comprehensive examples on this page.
https://wiki.gentoo.org/wiki/Nftables/Examples.
Once a nice ruleset has been put in place, start the firewall.
4.4 Thu Sep 12 jason@Yog-Sothoth 0: $ sudo systemctl start nftables |
Run this command if you wish to not have the firewall running on boot.
4.4 Thu Sep 12 jason@Yog-Sothoth 0: $ sudo systemctl disable nftables Removed /etc/systemd/system/sysinit.target.wants/nftables.service. |
And this command to enable it again.
4.4 Thu Sep 12 jason@Yog-Sothoth 0: $ sudo systemctl enable nftables Created symlink /etc/systemd/system/sysinit.target.wants/nftables.service → /lib/systemd/system/nftables.service. |
The filter rules are different from iptables, but easy to make sense of. This is easier than iptables, it is simple to have it run on boot, but I am not sure if the service can be started before networking comes up.
Compare the nftables filter rules with the ones from iptables and the difference is apparent, but this is a very good firewall application. This is included with Debian 10, and therefore, learning it would be very useful, as other Linux distributions will surely follow suit.
If you want to use iptables instead, this is how to have iptables entries applied on boot.
https://securitronlinux.com/bejiitaswrath/how-to-have-iptables-entries-applied-on-boot/.
Iptables config for mapping an OpenVPN IP address to a physical machine address.