nft
Administration tool for nftables (successor to iptables)
Overview
nftables is the modern replacement for iptables, ip6tables, arptables, and ebtables. It provides a single framework for packet classification.
Syntax
nft [options] [commands]Common Options
list rulesetList all rules in all tables.
add table family nameAdd a new table.
add chainAdd a new chain to a table.
add ruleAdd a new rule to a chain.
delete ruleDelete a rule from a chain.
flush rulesetDelete all rules.
-f, --file filenameRead input from specified file.
-i, --interactiveRead input from an interactive readline CLI.
Examples
$ sudo nft list ruleset
Display all current rules.
$ sudo nft add table inet filter
Create a new table named "filter" for inet (IPv4/IPv6) family.
$ sudo nft add chain inet filter input { type filter hook input priority 0 \; }
Create an input chain in the filter table.
$ sudo nft add rule inet filter input tcp dport 22 accept
Allow SSH on port 22.
$ sudo nft add rule inet filter input tcp dport { 80, 443 } accept
Allow HTTP and HTTPS.
$ sudo nft add rule inet filter input ct state established,related accept
Allow established connections.
$ sudo nft add rule inet filter input drop
Drop all other incoming traffic.
$ sudo nft -f /etc/nftables.conf
Load rules from configuration file.
$ sudo nft flush ruleset
Remove all rules and tables.
Related Commands
nftnftablesfirewallpacketfilternatnetfilterrules