How to Use nftables as a Modern Firewall

How to Use nftables as a Modern Firewall

nftables is the modern replacement for iptables, ip6tables, arptables, and ebtables in Linux. It provides a unified framework for packet filtering, NAT, and traffic classification on your Breeze instance with cleaner syntax, better performance, and atomic rule updates.

Why nftables Over iptables

• Unified syntax — one tool for IPv4, IPv6, ARP, and bridging
• Atomic rule replacement — entire rulesets are applied in one transaction
• Better performance — uses a virtual machine in the kernel for packet matching
• Sets and maps — native support for IP sets, port ranges, and dictionaries
• Simpler syntax — more readable rules compared to iptables

Installing nftables

sudo apt install -y nftables    # Debian/Ubuntu
sudo dnf install -y nftables    # CentOS/RHEL

sudo systemctl enable --now nftables

Basic Firewall Ruleset

Create a complete firewall configuration at /etc/nftables.conf:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # Accept established and related connections
        ct state established,related accept

        # Accept loopback traffic
        iif "lo" accept

        # Accept ICMP and ICMPv6
        ip protocol icmp accept
        ip6 nexthdr icmpv6 accept

        # Accept SSH
        tcp dport 22 accept

        # Accept HTTP and HTTPS
        tcp dport { 80, 443 } accept

        # Drop invalid connections
        ct state invalid drop

        # Log and drop everything else
        log prefix "nft-drop: " counter drop
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

Apply the ruleset:

sudo nft -f /etc/nftables.conf

Working with Sets

Sets allow you to group IPs, ports, or networks for efficient matching:

# Define a named set of trusted IPs
sudo nft add set inet filter trusted_ips { type ipv4_addr \; }
sudo nft add element inet filter trusted_ips { 10.0.0.1, 10.0.0.2, 192.168.1.0/24 }

# Use the set in a rule
sudo nft add rule inet filter input ip saddr @trusted_ips accept

Rate Limiting

Protect your Breeze from brute-force attacks with rate limiting:

sudo nft add rule inet filter input tcp dport 22 \
    ct state new limit rate 5/minute accept

sudo nft add rule inet filter input tcp dport 22 \
    ct state new drop

Port Knocking with nftables

Implement a simple port-knocking sequence using sets with timeouts:

table inet portknock {
    set knock1 { type ipv4_addr; timeout 10s; }
    set knock2 { type ipv4_addr; timeout 10s; }
    set allowed { type ipv4_addr; timeout 60s; }

    chain input {
        type filter hook input priority -1; policy accept;

        tcp dport 1234 add @knock1 { ip saddr } drop
        ip saddr @knock1 tcp dport 5678 add @knock2 { ip saddr } drop
        ip saddr @knock2 tcp dport 9012 add @allowed { ip saddr } drop
        tcp dport 22 ip saddr @allowed accept
        tcp dport 22 drop
    }
}

Listing and Managing Rules

# Show all rules
sudo nft list ruleset

# Show a specific table
sudo nft list table inet filter

# Delete a specific rule (by handle number)
sudo nft -a list table inet filter
sudo nft delete rule inet filter input handle 15

# Flush all rules in a chain
sudo nft flush chain inet filter input

Saving the Configuration

Ensure your rules persist across reboots:

sudo nft list ruleset | sudo tee /etc/nftables.conf
sudo systemctl enable nftables

The nftables service loads /etc/nftables.conf at boot, so your firewall rules will be restored automatically on your Breeze.