Welcome back, aspiring cyberwarriors! As you know, traditional hardware routers can be expensive, inflexible, and often come with proprietary firmware that limits your control. By leveraging the power of Linux and nftables, you can create a customized routing solution that gives you complete control over your network traffic, security policies, and performance optimizations. Nftables represents […]
The post Linux Basics for Hackers: Building a Router with nftables first appeared on Hackers Arise.
Welcome back, aspiring cyberwarriors!
As you know, traditional hardware routers can be expensive, inflexible, and often come with proprietary firmware that limits your control. By leveraging the power of Linux and nftables, you can create a customized routing solution that gives you complete control over your network traffic, security policies, and performance optimizations.
Nftables represents the evolution of Linux’s packet filtering framework, designed to replace the aging iptables system with a more efficient, flexible architecture. It provides a cleaner syntax, better performance, and more powerful features that make it ideal for building sophisticated routing solutions.
Let’s dive in and transform a standard Linux machine into a router using nftables!
Step #1 Understanding Nftables Architecture
Before we start configuring our router, it’s important to understand how nftables differs from its predecessor. Unlike iptables with its predefined chains and tables, nftables uses a more flexible approach where you define your own tables and chains.
The key components of nftables include:
Tables: Namespaces that contain chains. They are specific to an address family (IPv4, IPv6, etc.).
Chains: Containers for rules with defined hooks and priorities.
Rules: The actual filtering or modification instructions applied to packets.
Expressions: Building blocks that make up rules, allowing for complex matching conditions.
Sets: Collections of elements for efficient lookups.
This architecture gives us flexibility when designing our router’s traffic handling logic. To learn more about nftables check out our article.
Step #2 Setting Up Your Linux Machine
For this tutorial, I’ll be using Kali 2025, but the instructions should work with minimal modifications on most modern Linux distributions. You’ll need a machine with at least two network interfaces – one for your WAN (internet) connection and one for your LAN.
If you’re using VirtualBox, follow these steps to configure your network interfaces:
Select your virtual machine and go to Settings > Network.
Adapter 1 (eth0) – Internet Connection (WAN)
Check “Enable Network Adapter”
Set “Attached to” to NAT (or Bridged Adapter if you need direct access to your physical network)
This adapter will serve as your eth0 interface inside the VM, providing internet access.
Adapter 2 (eth1) – Internal Network (LAN)
Check “Enable Network Adapter”
Set “Attached to” to Internal Network
Give the internal network a name (e.g., intnet) — make sure to use the same name across all VMs that should be on the same LAN
This adapter will act as eth1, connected to your private internal network.
When you run ifconfig, you should see these interfaces listed.
Next, let’s make sure nftables is installed:
kali> sudo apt install nftables
Now, enable the nftables service to start at boot:
kali> sudo systemctl enable nftables
kali> sudo systemctl start nftables
Step #3 Enabling IP Forwarding
For our Linux machine to function as a router, we need to enable IP forwarding. This allows the kernel to forward packets between interfaces.
Edit the sysctl configuration file:
kali> sudo mousepad /etc/sysctl.confFind or add the following line and make sure it’s uncommented:
net.ipv4.ip_forward=1Apply the changes:
sudo sysctl -pYou can verify that forwarding is enabled by checking:
cat /proc/sys/net/ipv4/ip_forwardThis should return “1” if forwarding is enabled.
Step #4 Configuring Network Interfaces
Now, let’s configure our network interfaces. We’ll set up eth0 as our WAN interface (typically using DHCP to get an IP from your ISP) and eth1 as our LAN interface with a static IP.
Edit the network configuration file:
kali> sudo mousepad /etc/network/interfacesConfigure it like this:
# WAN interface
auto eth0
iface eth0 inet dhcp
# LAN interface
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
Restart networking to apply these changes:
kali> sudo systemctl restart networkingStep #5 Creating Our Nftables Configuration
Now for the heart of our router – the nftables configuration. We’ll create a comprehensive ruleset that:
Allows established and related connections
Performs Network Address Translation (NAT) for our LAN
Implements basic security filtering
Enables forwarding between interfaces
Create a new nftables configuration file:
kali> sudo mousepad /etc/nftables.confHere’s a complete configuration for our router:
#!/usr/sbin/nft -f
flush ruleset
# Define variables for interfaces
define WAN_IF = eth0
define LAN_IF = eth1
define LAN_NET = 192.168.1.0/24
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow established/related connections
ct state established,related accept
# Allow loopback
iifname "lo" accept
# Allow LAN to access router
iifname $LAN_IF accept
# Allow ICMP from WAN (for ping)
iifname $WAN_IF icmp type echo-request accept
# Drop invalid connections
ct state invalid drop
}
chain forward {
type filter hook forward priority 0; policy drop;
# Allow established/related connections
ct state established,related accept
# Allow LAN to WAN
iifname $LAN_IF oifname $WAN_IF accept
# Drop invalid connections
ct state invalid drop
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
# Port forwarding examples (uncomment and adjust as needed)
# iifname $WAN_IF tcp dport 80 dnat to 192.168.1.100:80
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
# Masquerade LAN to WAN
oifname $WAN_IF ip saddr $LAN_NET masquerade
}
}Save the file and apply the configuration:
kali> sudo nft -f /etc/nftables.confTo make sure these rules persist across reboots, enable the nftables service:
kali> sudo systemctl enable nftablesStep #6 Setting Up DHCP Server for LAN Clients
Now that our router is configured, we need to set up a DHCP server so that devices on our LAN can automatically get IP addresses. We’ll use dnsmasq for this as it’s lightweight and includes both DHCP and DNS caching.
Install dnsmasq:
kali> sudo apt install dnsmasq
Configure dnsmasq by editing its configuration file:
kali> sudo mousepad /etc/dnsmasq.confModify these lines:
# Listen only on LAN interface:
interface=eth1
# Don't listen on WAN:
no-dhcp-interface=eth0
# DHCP range and lease time
dhcp-range=192.168.1.100,192.168.1.200,255.255.255.0,24h
# Domain name
domain=home.lan
# Enable DNS caching
cache-size=1000
# Default gateway
dhcp-option=option:router,192.168.1.1
# DNS servers (using Google's public DNS here)
dhcp-option=6,8.8.8.8,8.8.4.4
Start and enable dnsmasq:
kali> sudo systemctl enable dnsmasq
kali> sudo systemctl restart dnsmasq
Step #8 Monitoring and Troubleshooting
To effectively manage your router, you need to be able to monitor and troubleshoot it. Here are some useful commands:
View current nftables ruleset:
kali> sudo nft list ruleset
Check for traffic on the interface:
kali> sudo tcpdump -i eth1
View routing table:
Summary
Linux with nftables is a powerful tool! We can a firewall, router, and dhcp server with just a little knowledge and a linux machine. This setup puts you in control of a powerful and flexible router for a fraction of the cost. In addition, it gives you the ability to customize your router in ways that commercial systems simply can not.
The post Linux Basics for Hackers: Building a Router with nftables first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/linux-basics-for-hackers-building-a-router-with-nftables/