“nft” is a tool for configuring the Linux kernel firewall in a user-friendly way. It is designed to replace the older “iptables” firewall configuration tool. The “nftables” firewall framework provides more advanced functionality and improved performance compared to “iptables”.
“nft” allows system administrators to manage tables, chains, and rules in the Linux kernel firewall. A table in the firewall represents a specific domain of rules, such as the IPv4 or IPv6 domains. Chains are sequences of rules within a table, and rules define the actions to be taken for specific packets. The rules can include actions such as accepting, rejecting, or logging incoming packets.
“nft” provides a flexible and powerful interface for configuring the Linux kernel firewall, making it easier for system administrators to set up and manage firewall rules. The tool allows rules to be specified using a simple and intuitive syntax, and it provides a wide range of features for fine-tuning the firewall configuration.
If you encounter the below error while running the command nft:
nft: command not found
you may try installing the below package as per your choice of distribution:
| Distribution | Command |
|---|---|
| Debian | apt-get install nftables |
| Ubuntu | apt-get install nftables |
| Alpine | apk add nftables |
| Arch Linux | pacman -S nftables |
| Kali Linux | apt-get install nftables |
| CentOS | yum install nftables |
| Fedora | dnf install nftables |
| Raspbian | apt-get install nftables |
nft Command Examples
1. View current configuration:
# sudo nft list ruleset
2. Add a new table with family “inet” and table “filter”:
# sudo nft add table inet filter
3. Add a new chain to accept all inbound traffic:
# sudo nft add chain inet filter input \{ type filter hook input priority 0 \; policy accept \}
4. Add a new rule to accept several TCP ports:
# sudo nft add rule inet filter input tcp dport \{ telnet, ssh, http, https \} accept
5. Add a NAT rule to translate all traffic from the `192.168.0.0/24` subnet to the host’s public IP:
# sudo nft add rule nat postrouting ip saddr 192.168.0.0/24 masquerade
6. Show rule handles:
# sudo nft --handle --numeric list chain family table chain
7. Delete a rule:
# sudo nft delete rule inet filter input handle 3
8. Save current configuration:
# sudo nft list ruleset > /etc/nftables.conf