Network
nft
Manage nftables firewall rules.
firewallnftablespacketssecurity
Additional Notes
nft manages nftables firewall rules in the Linux kernel. Use it to inspect, load, add, delete, and test firewall rules.
nftables is the modern Netfilter firewall framework. It can replace many older iptables, ip6tables, arptables, and ebtables workflows.
Syntax
nft [options] [command]
nft -f rules.nft
Parameters
options: Flags that change hownftbehaves.command: A ruleset, table, chain, rule, set, or monitor command.family: Packet family such asip,ip6,inet,arp,bridge, ornetdev.table: A container for chains, sets, maps, and rules.chain: A list of rules. Base chains attach to packet hooks such asinput,forward, oroutput.
Common Options
-f FILE: Read rules from a file.-c: Check commands without applying changes.-a: Show rule handles, useful when deleting exact rules.-n: Print numeric output.-j: Print JSON output.list ruleset: Show the active ruleset.flush ruleset: Remove the active ruleset.add table: Create a table.add chain: Create a chain.add rule: Add a rule.monitor: Watch nftables events.
Examples
sudo nft list ruleset
Show all active nftables rules.
sudo nft -c -f /etc/nftables.conf
Check a rules file without loading it.
sudo nft add table inet filter
Create a table that can hold IPv4 and IPv6 rules.
sudo nft 'add chain inet filter input { type filter hook input priority 0; policy drop; }'
Create an input base chain with a default drop policy.
sudo nft flush ruleset
Remove all active nftables tables, chains, and rules.
Practical Notes
- Start with
sudo nft list rulesetbefore changing anything. flush rulesetremoves all nftables rules. Use it carefully, especially over SSH.- Use
-c -f FILEbefore loading a new firewall file. inettables are useful when one ruleset should handle both IPv4 and IPv6.list rulesetoutput can be saved and loaded again withnft -f.