NFTables is a subsystem of the Linux kernel providing packet filtering, network address translation (NAT), and other packet mangling. It replaces the legacy iptables framework while offering a more streamlined and efficient approach to managing firewall rules.
To install NFTables on a Debian-based system, use the following command:
sudo apt-get install nftables
For Red Hat-based systems, use:
sudo yum install nftables
To start the NFTables service and enable it to start on boot, use the following commands:
sudo systemctl start nftables
sudo systemctl enable nftables
To list all active rules, use:
sudo nft list ruleset
To add a rule that allows incoming SSH traffic, use:
sudo nft add rule inet filter input tcp dport 22 accept
To delete the previously added rule, use:
sudo nft delete rule inet filter input tcp dport 22 accept
Here is an example of a basic NFTables configuration file:
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
iif "lo" accept
tcp dport 22 accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
This configuration sets up a basic firewall with the following rules:
NFTables provides a powerful and flexible framework for managing firewall rules on Linux servers. Its improved performance, simplified syntax, and unified approach make it a valuable tool for system administrators.
For more detailed information, refer to the official NFTables documentation.