Essential nftables Commands for Managing Linux Firewalls
- Last updated: Jul 18, 2025
nftables is the modern replacement for the iptables tool used to manage the Netfilter firewall framework in Linux. Below are key commands and notes to help understand how it works on a typical Linux system (example shown with Debian).
Configuration
- OS: Debian 12
- nftables: v1.0.6 (Lester Gooch #5)
General Information
- Enable nftables at boot using
systemctl
:
root@host:~# systemctl enable nftables.service
- Default configuration file location:
root@host:~# /etc/nftables.conf
- Load the nftables configuration file manually:
root@host:~# nft -f /etc/nftables.conf
- List the currently active ruleset:
root@host:~# nft list ruleset
Note: The inet
family includes both ip
(IPv4) and ip6
(IPv6). Use ip
or ip6
explicitly if needed.
Tables
- Create a new table:
root@host:~# nft add table inet <table_name>
- List existing tables:
root@host:~# nft list tables
- Delete a table:
root@host:~# nft delete table inet <table_name>
- Flush a table (remove all rules without deleting the table):
root@host:~# nft flush table inet <table_name>
Chains
- Create a new chain:
root@host:~# nft add chain inet <table_name> <chain_name>
- List all chains:
root@host:~# nft list chains
- Delete a chain:
root@host:~# nft delete chain inet <table_name> <chain_name>
- Create an input chain for inbound traffic:
root@host:~# nft add chain inet filter INPUT { type filter hook input priority 0\; }
- Create a forward chain for routed traffic:
root@host:~# nft add chain inet filter FORWARD { type filter hook forward priority 0\; }
- Create an output chain for outbound traffic:
root@host:~# nft add chain inet filter OUTPUT { type filter hook output priority 0\; }
- Create a NAT chain for masquerading (postrouting):
root@host:~# nft add chain inet filter my_masquerade '{ type nat hook postrouting priority 100; }'
- Create a NAT chain for prerouting and port redirection:
root@host:~# nft add chain inet filter my_prerouting '{ type nat hook prerouting priority -100; }'
Rules
Create rules
- Allow input traffic with packet counting and a comment:
root@host:~# nft add rule inet <table_name> <chain_name> counter accept comment "ALLOW INPUT"
- Allow SSH traffic on port 22 and count packets:
root@host:~# nft add rule inet filter INPUT tcp dport 22 counter
- Allow HTTP and HTTPS traffic in new or established states with packet counting:
root@host:~# nft add rule inet filter INPUT tcp dport {80, 443} ct state new,established counter accept
Delete rules
- List rules with handle numbers:
root@host:~# nft -n -a list ruleset
- Delete a rule by its handle number:
root@host:~# nft delete rule ip filter INPUT handle 38
Replace a rule
- List current rules with handle numbers:
root@host:~# nft -n -a list ruleset
- Replace a rule using its handle:
root@host:~# nft replace rule ip filter INPUT handle 38 iifname "eth0" ip saddr 192.168.1.12 counter drop
Insert a rule
- Insert a rule at a specific position in the chain:
root@host:~# nft insert rule ip filter INPUT position 17 iifname "eth0" ip saddr { 192.168.1.11, 192.168.1.68, 192.168.1.118 } counter drop
NAT
Create table
- Create a dedicated table for NAT:
root@host:~# nft add table ip NAT
Create chains
- Create a postrouting chain for masquerading traffic:
root@host:~# nft add chain ip NAT my_masquerade '{ type nat hook postrouting priority 100; }'
- Create a prerouting chain for port redirection:
root@host:~# nft add chain ip NAT my_prerouting '{ type nat hook prerouting priority -100; }'
Masquerading rule
- Masquerade all outgoing traffic, except for destination addresses in
192.168.0.0/16
:
root@host:~# nft add rule NAT my_masquerade ip daddr != { 192.168.0.0/16 } oifname <interface> masquerade
Prerouting rule
- Redirect HTTPS traffic to an internal server (
192.168.1.10
) using DNAT:
root@host:~# nft add rule NAT my_prerouting iifname <interface> tcp dport { https } dnat to 192.168.1.10 comment "Web Server"