In this article I will give examples of setting up nftables to replace the outdated iptables.
Let’s switch to the root user so as not to write sudo:
sudo -i
Installation command on Ubuntu (if not already installed):
apt install nftables
systemctl is-enabled nftables.service
systemctl enable nftables.service
An example of preventing loading when the operating system starts (mask is stronger than disable):
systemctl mask nftables.service
systemctl unmask nftables.service
Complete removal of nftables from the operating system:
apt purge nftables
Example of clearing rules:
nft flush ruleset
nft delete table inet filter
View current rules and tables:
nft -a list ruleset
nft list tables
Example of creating a table:
nft add table inet filter
Restricting or opening access to the http port:
nft add rule inet filter input tcp dport 80 drop
nft add rule inet filter input tcp dport 80 accept
Specifying the DROP policy for the INPUT chain:
nft add chain inet filter input '{ policy drop; }'
Let’s allow applications to connect to the localhost interface:
nft add rule inet filter input iifname lo counter accept
Example of deleting a rule by number:
nft -a list ruleset
nft delete rule inet filter input handle 8
You can use iptables-translate to translate iptables rules into nftables rules:
iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
iptables-translate -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
nft add rule ip nat POSTROUTING oifname eth0 ip saddr 10.0.0.0/24 counter masquerade
ip6tables-translate -A FORWARD -i eth0 -o eth1 -p udp -m multiport --dports 123,456 -j ACCEPT
nft add rule ip6 filter FORWARD iifname eth0 oifname eth1 meta l4proto udp udp dport { 123,456} counter accept
An example of converting rules from iptables to nftables via a file:
iptables-save > save.txt
iptables-restore-translate -f save.txt > ruleset.nft
nft -f ruleset.nft
An example of saving nftables rules to a file and restoring from the file:
nft list ruleset > ixnfo.com.conf
nft -f ixnfo.com.conf
In Debian you can find example configurations here /usr/share/doc/nftables/examples/
Open the NTP server port:
nft add rule inet filter input ip saddr 10.0.0.0/22 udp dport 123 accept
Open the Syslog server port:
nft add rule inet filter input position 22 ip saddr { 10.20.30.5/32, 10.30.10.5/32 } udp dport 514 accept
nft add rule inet filter input position 22 ip saddr { 10.20.30.5/32, 10.30.10.5/32 } tcp dport 514 accept
Open the Asterisk server port:
nft add rule inet filter input position 33 ip saddr { 10.20.30.5/32, 10.30.10.5/32 } udp dport 5060 accept
nft add rule inet filter input position 34 ip saddr { 10.20.30.5/32, 10.30.10.5/32 } udp dport 10000-20000 accept
After all the allowing rules, we will definitely deny everything else (or you can make the default DROP policy for incoming connections):
nft add rule inet filter input counter drop
An example of adding a rule after rule number 22 (for example, so that it is before the prohibiting rule, since after the prohibiting one it will not work):
nft -a list ruleset
nft add rule inet filter input position 22 ip saddr 10.0.0.0/16 tcp dport 514 accept
You can check whether the port is open from another server by running the nmap scanner:
nmap -p 514 10.20.30.40
You can specify several ports at once in one rule:
nft add rule inet filter input iifname eth0 ip saddr 10.0.0.0/16 udp dport {137, 138, 123} counter accept
nft add rule inet filter input iifname eth0 ip saddr 10.0.0.0/16 tcp dport {445, 139, 80, 443} counter accept
Let’s allow ICMP only for certain networks:
nft add rule inet filter input position 10 ip saddr { 10.20.30.0/22, 10.30.20.0/22 } ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
Packet logging:
nft add rule inet filter input log
Let’s save the rules so that they are not reset after restarting the operating system (or simply add new rules to the existing /etc/nftables.conf file):
echo '#!/usr/sbin/nft -f' > /etc/nftables.conf
echo 'flush ruleset' >> /etc/nftables.conf
nft list ruleset >> /etc/nftables.conf
Let’s check:
systemctl restart nftables
nft list ruleset
See also my article:
How to configure IPTables