Linux nftables


nftables is a modern replacement for iptables that manages network packet filtering in Linux. It’s part of the Netfilter framework and simplifies firewall management with a more readable syntax, better performance, and a unified framework for handling IPv4, IPv6, and other protocols. Here’s a basic guide to using nftables with commands and example outputs.


1. Checking if nftables is Installed

On most modern Linux distributions, nftables is installed by default. To check if it’s installed and running:

sudo nft list ruleset

Example Output (if nftables is active):

table inet filter { chain input { type filter hook input priority 0; policy accept; } chain forward { type filter hook forward priority 0; policy accept; } chain output { type filter hook output priority 0; policy accept; } }

If you see an empty output, nftables may not have any rules configured yet.


2. Basic Setup: Creating a New Table and Chains

nftables organizes rules into tables and chains. To set up a basic firewall, we’ll create a new table (filter) and add chains (input, output, forward).

Add a Table and Chains

sudo nft add table inet filter sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; } sudo nft add chain inet filter output { type filter hook output priority 0 \; policy accept \; } sudo nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }
  • inet supports both IPv4 and IPv6 in one table.
  • hook defines which part of packet processing the chain applies to (e.g., input, output).
  • policy sets the default action (e.g., drop, accept).

Example Output:

No output is shown, but you can verify the setup with sudo nft list ruleset.


3. Allowing Specific Traffic

Allow SSH (Port 22)

To allow SSH traffic, add a rule to the input chain:

sudo nft add rule inet filter input tcp dport 22 accept

Example Output:

No output, but viewing the ruleset shows the new rule in the input chain.

Allow HTTP (Port 80) and HTTPS (Port 443)

To allow web traffic on ports 80 and 443:

sudo nft add rule inet filter input tcp dport 80 accept sudo nft add rule inet filter input tcp dport 443 accept

Example Output:

Again, no output in the terminal, but the new rules will be listed when you view the ruleset.

4. Listing Rules

To display the current rules in nftables:

sudo nft list ruleset

Example Output:

table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport ssh accept tcp dport http accept tcp dport https accept } chain output { type filter hook output priority 0; policy accept; } chain forward { type filter hook forward priority 0; policy drop; } }

5. Blocking a Specific IP Address

To block all traffic from a specific IP (e.g., 192.168.1.100):

sudo nft add rule inet filter input ip saddr 192.168.1.100 drop

This rule drops all incoming packets from 192.168.1.100.


6. Allowing a Specific IP Address

To allow only a specific IP address (e.g., 192.168.1.101) on port 22 for SSH:

sudo nft add rule inet filter input ip saddr 192.168.1.101 tcp dport 22 accept

This rule allows incoming SSH connections only from 192.168.1.101.


7. Saving and Loading nftables Rules

nftables rules are not persistent after a reboot by default. To make them persistent, you need to save the configuration.

Save the Current Ruleset

sudo nft list ruleset > /etc/nftables.conf

Load Rules at Boot

Edit the systemd service configuration to load /etc/nftables.conf on startup.

  1. Edit the configuration file:

    sudo nano /etc/systemd/system/nftables.service
  2. Add the following content:

    [Unit] Description=nftables [Service] Type=oneshot ExecStart=/sbin/nft -f /etc/nftables.conf RemainAfterExit=yes [Install] WantedBy=multi-user.target
  3. Enable the service:

    sudo systemctl enable nftables

8. Deleting Rules

You can delete a specific rule in nftables by specifying its exact match. For example, to delete the rule allowing SSH on port 22:

sudo nft delete rule inet filter input tcp dport 22 accept

To delete an entire chain or table, use:

sudo nft delete chain inet filter input sudo nft delete table inet filter

9. Flushing All Rules

To clear all rules without deleting chains or tables:

sudo nft flush chain inet filter input

Or, to flush all rules in the filter table:

sudo nft flush table inet filter

Summary of nftables Commands

  • List rules: sudo nft list ruleset
  • Add a table: sudo nft add table inet filter
  • Add a chain: sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
  • Add a rule to allow SSH: sudo nft add rule inet filter input tcp dport 22 accept
  • Delete a rule: sudo nft delete rule inet filter input tcp dport 22 accept
  • Save rules: sudo nft list ruleset > /etc/nftables.conf
  • Flush all rules: sudo nft flush table inet filter

nftables provides a cleaner syntax and more efficient packet filtering than iptables, making it an excellent choice for firewall management on modern Linux systems.