LinuxCommandLibrary

nft

Configure Linux packet filtering, firewalling, and NAT

TLDR

View current configuration

$ sudo nft list ruleset
copy

Add a new table with family "inet" and table "filter"
$ sudo nft add table [inet] [filter]
copy

Add a new chain to accept all inbound traffic
$ sudo nft add chain [inet] [filter] [input] \{ type [filter] hook [input] priority [0] \; policy [accept] \; \}
copy

Add a new rule to accept several TCP ports
$ sudo nft add rule [inet] [filter] [input] [tcp] [dport \{ telnet, ssh, http, https \} accept]
copy

Add a NAT rule to translate all traffic from the 192.168.0.0/24 subnet to the host's public IP
$ sudo nft add rule [nat] [postrouting] ip saddr [192.168.0.0/24] [masquerade]
copy

Show rule handles
$ sudo nft --handle --numeric list chain [family] [table] [chain]
copy

Delete a rule
$ sudo nft delete rule [inet] [filter] [input] handle [3]
copy

Save current configuration
$ sudo nft list ruleset > [/etc/nftables.conf]
copy

SYNOPSIS

nft [ options ] command

PARAMETERS

-a, --handle
    Show rule handles. A rule's handle is its unique ID.

-c, --numeric
    Numeric output. Don't try to resolve addresses, port names or user names to their textual representation.

-d, --debug
    Enable debug output.

-e, --echo
    Echo command to standard output.

-f, --file
    Read input from file.

-g, --gen-update
    Generate update command for a ruleset.

-i, --interactive
    Interactive mode.

-j, --json
    Output in JSON format.

-j=raw, --json=raw
    Output in raw JSON format.

-m, --machine
    Machine-readable output format.

-n, --nofatal
    Don't exit if table/chain does not exist.

-nn, --netns
    Apply command to a network namespace.

-N, --nonetns
    Do not apply command to network namespace.

-o, --out
    Write output to file.

-p, --pretty
    Pretty print JSON output.

-r, --rollback
    Rollback on error.

-s, --stateless
    Stateless mode (skip ruleset activation).

-s, --service
    Run in service mode.

-t, --terse
    Terse output.

-t=timestamp, --terse=timestamp
    Add timestamp to terse output.

-T, --table
    Show table names.

-v, --verbose
    Verbose output.

-V, --version
    Show version.

-w, --wait
    Wait for the ruleset to be activated.

-w=seconds, --wait=seconds
    Wait for the ruleset to be activated for a maximum of given number of seconds.

-x, --xml
    Output in XML format.

DESCRIPTION

nft is the command-line interface to nftables, the packet filtering framework in the Linux kernel. It replaces the legacy iptables, ip6tables, arptables, and ebtables tools, offering a unified and more efficient way to manage network filtering rules. nft allows you to define rulesets that control network traffic based on various criteria, such as source/destination addresses, ports, protocols, and more.

The tool supports transactional rule updates, meaning that changes are applied atomically to the kernel, minimizing the risk of inconsistent states. nft uses a more expressive and flexible syntax compared to its predecessors, enabling the creation of complex filtering policies with improved readability and maintainability. The rule sets are stored in the kernel and executed efficiently. nft can also be used to monitor network traffic by adding counters to rules, which can be helpful when debugging the firewall configuration.

CAVEATS

nft requires appropriate kernel support. Older kernels might not be compatible with all features.

COMMAND STRUCTURE

nft commands typically follow a hierarchical structure:
nft [options] {add | delete | list | flush | ...} object [parameters]
Where 'object' can be a table, chain, rule, set, etc., and 'parameters' specify the details of the operation on that object.

RULE MANAGEMENT

You can add, delete, list, and flush rules within chains. Rules specify matching criteria and actions to be taken on matching packets (e.g., accept, drop, log).

SETS AND MAPS

nft supports sets and maps, which are data structures that allow you to group IP addresses, ports, or other values and use them in rules. This is useful for creating dynamic and scalable filtering policies.

HISTORY

nft was introduced as a successor to the legacy iptables tools to address their limitations and provide a more modern and efficient packet filtering solution. Its development aimed at unifying the filtering syntax across different protocols (IPv4, IPv6, ARP, Ethernet bridging), improving performance, and enhancing the extensibility of the packet filtering framework. The first versions of nft were released in the early 2010s, and it has been actively developed since then, gradually replacing the older tools in many Linux distributions.

SEE ALSO

Copied to clipboard