Table of Contents
Was this article helpful?

0  out of  2 found this helpful

Try Vultr Today with

$50 Free on Us!

Want to contribute?

You could earn up to $600 by adding new articles.

nftables Quickstart Guide

Last Updated: Mon, Apr 13, 2020
Quickstart Guides Security System Admin

nftables provides firewall support and NAT. This quickstart guide outlines several useful commands and techniques to assist debugging nftables.

Enable and start nftables

Recent versions of Debian have nftables installed by default.

If you need to install nftables:

# aptitude install nftables

To enable nftables at boot:

# systemctl enable nftables.service

List current ruleset

# nft list ruleset

Delete all rules

To stop nftables from filtering traffic, delete all the rules.

nft flush ruleset

Disable and stop nftables

To disable nftables from starting:

# systemctl mask nftables.service

To uninstall nftables:

# aptitude purge nftables

Simple example for SSH and web

This trivial example allows SSH, HTTP, HTTPS, and ICMP. It denys all other inbound traffic.

Edit /etc/nftables.conf.

sudo nano /etc/nftables.conf

Replace /etc/nftables.conf with the following rules.

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # accept any localhost traffic
        iif lo accept

        # accept traffic originated from us
        ct state established,related accept

        # drop invalid packets
        ct state invalid counter drop

        # accept ssh, http, and https
        tcp dport { 22, 80, 443 } accept

        # accept icmp
        ip protocol icmp accept

        # count and reject everything else
        counter reject with icmpx type admin-prohibited

    chain forward {
        type filter hook forward priority 0; policy drop;

    chain output {
        type filter hook output priority 0; policy accept;


More information

See for more details.

Want to contribute?

You could earn up to $600 by adding new articles.