linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
  • Introduction
  • Lessons
  • How it works
  • Simulator
  • Knowledge base
  • Interview prep
Index
Categories
All entries
Footer
linuxlab-TutorialsPricingAboutPrivacy & cookies
Copyright © 2026 LinuxLab. All rights reserved.
home/linux/kb/Commands/cmd-nft

kb/commands ── Commands ── advanced

nft: modern firewall (nftables)

`nft` is the single CLI for modern netfilter. Replaces iptables/ip6tables/ arptables/ebtables. Structure: tables, chains, rules.

view as markdownaka: nftables, iptables-replacement

Hierarchy

Nftables is organized as:

table (name + family: ip, ip6, inet, arp, bridge, netdev)
  └── chain (type + hook + priority)
      └── rule (matches + verdict)
  • table: namespace for rules. The inet family covers both IPv4 and IPv6.
  • chain: a hook point in netfilter:
    • prerouting (before routing)
    • input (to us, after routing)
    • forward (through us, not to us)
    • output (we are the sender)
    • postrouting (after routing, before sending)
  • rule: conditions plus a verdict (accept, drop, reject, jump, log, masquerade, dnat, ...)

Minimal firewall

Build an input filter that drops everything except SSH:

bash
sudo nft add table inet filter
sudo nft 'add chain inet filter input { type filter hook input priority 0; policy drop; }'
sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input iif lo accept
sudo nft add rule inet filter input tcp dport 22 accept
sudo nft add rule inet filter input ip protocol icmp icmp type echo-request accept

What this does:

  1. Creates the inet filter table (for v4+v6) and an input chain with policy drop.
  2. Allows established connections (without this, replies to your outgoing traffic are dropped).
  3. Loopback is always allowed.
  4. Opens SSH (port 22).
  5. Allows ping (echo-request).

Everything else is dropped by the default policy.

Listing and deleting

bash
sudo nft list ruleset                  # everything currently loaded
sudo nft list table inet filter        # one table
sudo nft -a list ruleset               # with handles (needed for deletion)
sudo nft delete rule inet filter input handle 5
sudo nft delete table inet filter      # remove everything in the table
sudo nft flush ruleset                 # REMOVE EVERYTHING (dangerous - you may lose SSH access)

NAT requires a separate chain type

For nat you need a chain with type nat, not filter:

bash
sudo nft add table inet nat
sudo nft 'add chain inet nat postrouting { type nat hook postrouting priority 100; }'
sudo nft add rule inet nat postrouting oifname eth0 masquerade

Persistence

Rules live in memory. To survive a reboot, save them to a file:

bash
sudo nft list ruleset > /etc/nftables.conf
sudo systemctl enable nftables          # on Debian/Ubuntu

The file is then loaded by the init script.

Iptables vs nftables

  • iptables: old, but still widespread (Docker, k8s until recently).
  • nftables: newer, faster by design, a single CLI for all families.
  • On modern Ubuntu, iptables is a shim: commands are translated to nft.
  • For migration: iptables-restore-translate converts old configs.

§ команды

bash
sudo nft list ruleset

Print the complete current firewall configuration.

bash
sudo nft -a list ruleset

Print the ruleset with handle IDs, needed for deleting specific rules.

bash
sudo nft add rule inet filter input tcp dport 8080 drop

Block incoming TCP traffic on port 8080.

bash
sudo nft delete rule inet filter input handle 5

Delete a specific rule by its handle.

bash
sudo nft monitor

Live stream of ruleset changes. Useful when debugging automation.

§ см. также

  • cmd-iptablesiptables: netfilter rules (legacy)iptables is the userland interface for netfilter. Five tables (filter/nat/mangle/raw/security), chains INPUT/OUTPUT/FORWARD/PRE/POSTROUTING, and jump targets ACCEPT/DROP/MASQUERADE. Legacy, but still widely deployed.
  • firewalld-vs-nftablesfirewalld vs nftables: what to choosefirewalld is a daemon wrapper with zones, services, and rich rules; the backend since RHEL 8 is nftables. Plain nft gives more control, sets, and atomic reload. firewalld fits desktop and multi-zone, nft fits a server fleet.
  • natNAT: Network Address TranslationNAT rewrites the src or dst address of a packet at a router. Masquerade is the common case: the src IP is replaced with the router's outbound address so hosts on a private network can reach the public internet.
  • tcp-handshakeTCP three-way handshakeTCP connection opens with three packets: SYN from the client, SYN-ACK from the server, ACK from the client. After that the connection is Established and data transfer can begin.

§ упоминается в уроках

  • ›intermediate-05-firewall-nftables
Footer
linuxlab-
Copyright © 2026 LinuxLab. All rights reserved.
Tutorials
Pricing
About
Privacy & cookies