HxHippy

nft

Administration tool for nftables (successor to iptables)

Overview

nftables is the modern replacement for iptables, ip6tables, arptables, and ebtables. It provides a single framework for packet classification.

Syntax

nft [options] [commands]

Common Options

list ruleset

List all rules in all tables.

add table family name

Add a new table.

add chain

Add a new chain to a table.

add rule

Add a new rule to a chain.

delete rule

Delete a rule from a chain.

flush ruleset

Delete all rules.

-f, --file filename

Read input from specified file.

-i, --interactive

Read input from an interactive readline CLI.

Examples

$ sudo nft list ruleset

Display all current rules.

$ sudo nft add table inet filter

Create a new table named "filter" for inet (IPv4/IPv6) family.

$ sudo nft add chain inet filter input { type filter hook input priority 0 \; }

Create an input chain in the filter table.

$ sudo nft add rule inet filter input tcp dport 22 accept

Allow SSH on port 22.

$ sudo nft add rule inet filter input tcp dport { 80, 443 } accept

Allow HTTP and HTTPS.

$ sudo nft add rule inet filter input ct state established,related accept

Allow established connections.

$ sudo nft add rule inet filter input drop

Drop all other incoming traffic.

$ sudo nft -f /etc/nftables.conf

Load rules from configuration file.

$ sudo nft flush ruleset

Remove all rules and tables.

nftnftablesfirewallpacketfilternatnetfilterrules