nftables provides firewall support and NAT. This quickstart guide outlines several useful commands and techniques to assist debugging nftables.
Recent versions of Debian have nftables installed by default.
If you need to install nftables:
# aptitude install nftables
To enable nftables at boot:
# systemctl enable nftables.service
# nft list ruleset
To stop nftables from filtering traffic, delete all the rules.
nft flush ruleset
To disable nftables from starting:
# systemctl mask nftables.service
To uninstall nftables:
# aptitude purge nftables
This trivial example allows SSH, HTTP, HTTPS, and ICMP. It denys all other inbound traffic.
Edit /etc/nftables.conf.
sudo nano /etc/nftables.conf
Replace /etc/nftables.conf with the following rules.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# drop invalid packets
ct state invalid counter drop
# accept ssh, http, and https
tcp dport { 22, 80, 443 } accept
# accept icmp
ip protocol icmp accept
# count and reject everything else
counter reject with icmpx type admin-prohibited
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
See https://wiki.debian.org/nftables for more details.