Linux nftables
nftables
is a modern replacement for iptables
that manages network packet filtering in Linux. It’s part of the Netfilter framework and simplifies firewall management with a more readable syntax, better performance, and a unified framework for handling IPv4, IPv6, and other protocols. Here’s a basic guide to using nftables
with commands and example outputs.
1. Checking if nftables
is Installed
On most modern Linux distributions, nftables
is installed by default. To check if it’s installed and running:
Example Output (if nftables
is active):
If you see an empty output, nftables
may not have any rules configured yet.
2. Basic Setup: Creating a New Table and Chains
nftables
organizes rules into tables and chains. To set up a basic firewall, we’ll create a new table (filter
) and add chains (input
, output
, forward
).
Add a Table and Chains
inet
supports both IPv4 and IPv6 in one table.hook
defines which part of packet processing the chain applies to (e.g.,input
,output
).policy
sets the default action (e.g.,drop
,accept
).
Example Output:
No output is shown, but you can verify the setup with sudo nft list ruleset
.
3. Allowing Specific Traffic
Allow SSH (Port 22)
To allow SSH traffic, add a rule to the input
chain:
Example Output:
No output, but viewing the ruleset shows the new rule in the input
chain.
Allow HTTP (Port 80) and HTTPS (Port 443)
To allow web traffic on ports 80 and 443:
Example Output:
Again, no output in the terminal, but the new rules will be listed when you view the ruleset.
4. Listing Rules
To display the current rules in nftables
:
Example Output:
5. Blocking a Specific IP Address
To block all traffic from a specific IP (e.g., 192.168.1.100
):
This rule drops all incoming packets from 192.168.1.100
.
6. Allowing a Specific IP Address
To allow only a specific IP address (e.g., 192.168.1.101
) on port 22 for SSH:
This rule allows incoming SSH connections only from 192.168.1.101
.
7. Saving and Loading nftables
Rules
nftables
rules are not persistent after a reboot by default. To make them persistent, you need to save the configuration.
Save the Current Ruleset
Load Rules at Boot
Edit the systemd service configuration to load /etc/nftables.conf
on startup.
Edit the configuration file:
Add the following content:
Enable the service:
8. Deleting Rules
You can delete a specific rule in nftables
by specifying its exact match. For example, to delete the rule allowing SSH on port 22:
To delete an entire chain or table, use:
9. Flushing All Rules
To clear all rules without deleting chains or tables:
Or, to flush all rules in the filter
table:
Summary of nftables
Commands
- List rules:
sudo nft list ruleset
- Add a table:
sudo nft add table inet filter
- Add a chain:
sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
- Add a rule to allow SSH:
sudo nft add rule inet filter input tcp dport 22 accept
- Delete a rule:
sudo nft delete rule inet filter input tcp dport 22 accept
- Save rules:
sudo nft list ruleset > /etc/nftables.conf
- Flush all rules:
sudo nft flush table inet filter
nftables
provides a cleaner syntax and more efficient packet filtering than iptables
, making it an excellent choice for firewall management on modern Linux systems.