nftables Quickstart Guide
Last Updated: Mon, Apr 13, 2020
nftables provides firewall support and NAT. This quickstart guide outlines several useful commands and techniques to assist debugging nftables.
Enable and start nftables
Recent versions of Debian have nftables installed by default.
If you need to install nftables:
# aptitude install nftables
To enable nftables at boot:
# systemctl enable nftables.service
List current ruleset
# nft list ruleset
Delete all rules
To stop nftables from filtering traffic, delete all the rules.
nft flush ruleset
Disable and stop nftables
To disable nftables from starting:
# systemctl mask nftables.service
To uninstall nftables:
# aptitude purge nftables
Simple example for SSH and web
This trivial example allows SSH, HTTP, HTTPS, and ICMP. It denys all other inbound traffic.
Edit /etc/nftables.conf.
sudo nano /etc/nftables.conf
Replace /etc/nftables.conf with the following rules.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# drop invalid packets
ct state invalid counter drop
# accept ssh, http, and https
tcp dport { 22, 80, 443 } accept
# accept icmp
ip protocol icmp accept
# count and reject everything else
counter reject with icmpx type admin-prohibited
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
More information
See https://wiki.debian.org/nftables for more details.