Understanding the Linux nftables Command #

The nftables command is a powerful Linux firewall tool that replaces iptables, ip6tables, arptables, and ebtables. With a unified syntax, nftables simplifies network packet filtering, NAT, and other advanced network configurations. The command works with the nft utility, which communicates with the kernel’s netfilter subsystem to manage network rules.

Basic Syntax and Structure of the nft Command #

The nft command generally follows this structure:

nft [OPTIONS] COMMAND

• OPTIONS: Flags like -a (show rule handles) or -j (output in JSON format).
• COMMAND: The specific action, such as add, delete, list, or flush, used to manage tables, chains, or rules.

nft Command Cheatsheet Table #

Command	Description
nft list tables	List all tables
nft add table inet filter	Create a new table named filter in the inet family
nft delete table inet filter	Delete the filter table in the inet family
nft list ruleset	List all tables, chains, and rules in a human-readable format
nft flush ruleset	Delete all tables, chains, and rules (flush the entire ruleset)
nft add chain inet filter input { type filter hook input priority 0; }	Add an input chain to the filter table with input hook
nft add rule inet filter input tcp dport 22 accept	Accept incoming SSH traffic on port 22
nft delete rule inet filter input handle <handle_number>	Delete a rule in the input chain by specifying the rule’s handle
nft add rule inet filter forward counter	Add a counter rule to the forward chain for monitoring traffic

Adding and Managing Tables #

In nftables, tables are containers for chains and rules. Here’s how to create and manage them:

Create a Table #

nft add table inet my_table

This command creates a new table named my_table within the inet family, which supports both IPv4 and IPv6.

Delete a Table #

nft delete table inet my_table

Deletes the my_table from the inet family.

Chains in nftables #

Chains are sequences of rules that define how packets are handled. Each chain has a specific hook, which determines the packet filtering stage (e.g., input, output, or forward).

Create a Chain #

nft add chain inet my_table my_chain { type filter hook input priority 0; }

This creates an input chain in my_table for filtering packets with a priority of 0.

Delete a Chain #

nft delete chain inet my_table my_chain

Removes the my_chain from my_table.

Rules in nftables #

Rules specify actions for packets that match certain conditions. Below are examples of adding, listing, and deleting rules.

Adding Rules #

nft add rule inet my_table my_chain tcp dport 80 accept

This rule allows traffic on TCP port 80 (HTTP).

Listing Rules #

nft list chain inet my_table my_chain

Displays all rules in my_chain.

Deleting Rules #

nft delete rule inet my_table my_chain handle <handle_number>

Removes a rule by specifying its handle number, which can be shown by nft list chain inet my_table my_chain -a.

Example nftables Configuration: Basic Firewall Setup #

Here’s a basic firewall configuration that allows incoming SSH and HTTP/HTTPS, while blocking all other traffic:

nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0\; policy drop\; }
nft add rule inet filter input tcp dport 22 accept  # Allow SSH
nft add rule inet filter input tcp dport 80 accept  # Allow HTTP
nft add rule inet filter input tcp dport 443 accept  # Allow HTTPS
nft add rule inet filter input ct state established,related accept  # Allow established connections

Advanced: Stateful Rules with Connection Tracking #

nftables has built-in support for connection tracking, allowing you to manage stateful rules.

Example: Allow Related and Established Connections #

nft add rule inet filter input ct state established,related accept

This allows packets from connections that are already established or related to existing ones, helping reduce unnecessary re-processing of previously allowed connections.

Summary #

The nftables command is a modern and versatile tool for network packet filtering, providing a unified syntax and flexible options for managing firewall rules. With nftables, you can create efficient and maintainable firewall configurations suitable for both simple setups and complex enterprise environments.