What Is nftables?
nftables is the modern replacement for iptables on Linux. It provides a unified framework for packet filtering, NAT, and traffic classification with better performance and a cleaner syntax.
Check Status
sudo nft list rulesetBasic Configuration
Create /etc/nftables.conf:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow established connections
ct state established,related accept
# Allow loopback
iif lo accept
# Allow ICMP (ping)
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# Allow SSH
tcp dport 22 accept
# Allow HTTP/HTTPS
tcp dport { 80, 443 } accept
# Log and drop everything else
log prefix "[nft-drop] " drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}Apply and Enable
sudo nft -f /etc/nftables.conf
sudo systemctl enable nftablesCommon Operations
# Add a rule interactively
sudo nft add rule inet filter input tcp dport 3306 ip saddr 10.0.0.0/24 accept
# Delete a rule by handle
sudo nft -a list chain inet filter input # Show handles
sudo nft delete rule inet filter input handle 15
# Add rate limiting
sudo nft add rule inet filter input tcp dport 22 ct state new limit rate 3/minute acceptNAT with nftables
table ip nat {
chain postrouting {
type nat hook postrouting priority 100;
oifname "eth0" masquerade
}
chain prerouting {
type nat hook prerouting priority -100;
tcp dport 8080 dnat to 10.0.0.2:80
}
}Migrating from iptables
# Export current iptables rules in nftables format
iptables-save | iptables-restore-translate