On this page
nftables Operations Manual
nftables is the next-generation firewall framework for Linux, replacing iptables/ip6tables/arptables/ebtables. It is managed using the nft command, and configurations can be loaded atomically. On Gentoo, the kernel must have CONFIG_NF_TABLES and related modules enabled.
Core concepts: table (namespace, grouped by family), chain (rule container, categorized by type/hook/priority), rule (match + action), set (collection of IPs/ports), verdict (accept/drop/reject/jump).
Status Viewing
# List all rules
# View by table/chain
# View sets / counters
# Ruleset statistics
|
Basic Rule Management
# Temporary modifications (lost on reboot, for testing)
# View handles
# Output: tcp dport 22 accept # handle 5
Persistence and Atomic Loading
# Save the current ruleset
# Atomic replacement (recommended)
# Check syntax (without loading)
# systemd auto-load
Common Table/Chain Structure Templates
table inet filter { # inet = IPv4 + IPv6
chain input {
type filter hook input priority 0; policy drop;
# Allow lo
iif lo accept
# Allow established/related connections
ct state established,related accept
# Allow SSH
tcp dport 22 accept
# Allow ICMPv6 (required for IPv6)
ip6 nexthdr icmpv6 accept
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state established,related accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Rule Syntax
# Matching
# Actions
# Return from custom chain
NAT / Port Forwarding
# Table definition
# DNAT (Port forwarding, external → internal)
# SNAT (Unified outgoing IP)
# MASQUERADE (Dynamic IP outgoing, e.g., DHCP interface)
# Port redirection (local 80 → 8080)
Sets (Efficient Batch Matching)
# Define named set
# Or in config file:
# set blackhole { type ipv4_addr; }
# Dynamically add/delete elements
# Use in rules
# ip saddr @blackhole drop
# Sets with timeouts (auto-expire)
# set ratelimit { type ipv4_addr; timeout 1h; }
# ip saddr @ratelimit counter drop
# Set types:
# ipv4_addr / ipv6_addr IP addresses
# ipv4_addr . inet_service IP+port combination
# ifname Interface name
# mark Connection mark
Operations and Maintenance
# Insert rule at specific position (default is append)
# Replace rule
# Rule comments
# In config file: tcp dport 22 accept comment "SSH access"
# Reset counters
# Real-time monitoring
# Debugging
Common Scenarios
# Prevent SSH brute force (limit new connection rate)
# tcp dport 22 ct state new limit rate 4/minute accept
# tcp dport 22 ct state new drop
# Allow only specific IPs to access a port
# ip saddr {10.0.0.1, 10.0.0.2} tcp dport 5432 accept
# tcp dport 5432 drop
# Transparent proxy (TPROXY, requires mihomo/v2ray)
# table ip mangle {
# chain prerouting { type filter hook prerouting priority mangle; }
# }
# meta l4proto tcp ip daddr != 127.0.0.0/8 tproxy to :12345
# Note for Docker users
# Docker inserts its own iptables rules, which may cause order issues when mixed with nftables.
# Recommendation: Either use only iptables (Docker compatibility mode), or ensure nftables rules are loaded before Docker
# Check: nft list ruleset | grep -i docker
# Docker's nftables support: /etc/docker/daemon.json → "iptables": false
Migration Notes (iptables → nft)
# View current iptables rules
# Automatic translation (imperfect, for reference only)
# Output: nft add rule ip filter INPUT tcp dport 22 counter accept
# Batch translation (full ruleset)