nftables is a Linux packet classification framework that replaces iptables and related tools. It offers performance improvements, unified syntax, and better maintainability. This guide covers installation, configuration, and practical usage.
What Is nftables
nftables provides packet filtering, network address translation (NAT), and traffic classification. The Linux kernel includes nftables starting from version 3.13. Major distributions now ship nftables as the default firewall framework.
The framework uses a hierarchy of tables, chains, and rules. Tables contain chains. Chains contain rules that match and act on packets.
The nft command-line tool manages all nftables operations. It replaces separate utilities like iptables-save and ip6tables.
nftables vs iptables
nftables introduces several changes from iptables. Understanding these differences helps with migration and configuration.
| Feature | iptables | nftables |
|---|---|---|
| Tables and chains | Predefined tables and chains | No predefined structures |
| Actions per rule | Single action | Multiple actions |
| IPv4 and IPv6 | Separate tools required | Unified inet family |
| Rule updates | Replace entire ruleset | Atomic transactions |
| Debugging | Limited options | Built-in tracing via nftrace |
nftables uses a dynamic linked list for rulesets. This improves maintainability compared to the monolithic approach in iptables.
How to Install nftables
Recent distributions include nftables by default. Debian 10, Ubuntu 20.10, CentOS 8, and Fedora 32 ship with nftables pre-installed.
Prerequisites
Root or sudo access is required for installation and configuration. Verify your kernel version supports nftables:
$ uname -rKernels version 3.13 and later include nftables support.
Installation Steps
Install nftables on Debian and Ubuntu:
# apt install nftablesInstall on RHEL, CentOS, and Fedora:
# dnf install nftablesEnable and start the systemd service:
# systemctl enable nftables
# systemctl start nftablesVerify the service status:
# systemctl status nftablesHow to Use nftables
nftables operations involve creating tables, adding chains, and defining rules. Each component serves a specific purpose in packet processing.
Tables
Tables act as containers for chains. Each table belongs to a single address family that determines which packet types it processes.
| Family | Description |
|---|---|
| ip | IPv4 packets (default) |
| ip6 | IPv6 packets |
| inet | Both IPv4 and IPv6 |
| arp | ARP packets |
| bridge | Bridge traffic |
| netdev | Ingress packets |
Create a table handling both IP protocol versions:
# nft add table inet my_tableList existing tables:
# nft list tablesDelete a table:
# nft delete table inet my_tableFlush all rules from a table:
# nft flush table inet my_tableChains
Chains filter packets within tables. Base chains connect to netfilter hooks and receive packets from the network stack. Regular chains serve as jump targets for organization.
Create a base chain for incoming packets:
# nft add chain inet my_table input '{ type filter hook input priority 0; policy accept; }'The hook determines when packets reach the chain. Common hooks include input, output, forward, prerouting, and postrouting.
Create a regular chain:
# nft add chain inet my_table custom_chainDelete a chain:
# nft delete chain inet my_table inputRules
Rules match packets and execute actions. Each rule contains expressions for matching criteria and statements for actions.
Add a rule permitting SSH traffic:
# nft add rule inet my_table input tcp dport 22 acceptAdd a rule with packet counting:
# nft add rule inet my_table input tcp dport 443 counter acceptInsert a rule at a specific position:
# nft insert rule inet my_table input position 2 tcp dport 80 acceptList rules with handles for management:
# nft -a list table inet my_tableDelete a rule by handle:
# nft delete rule inet my_table input handle 5Network Address Translation Setup
nftables supports masquerading and destination NAT. Create a NAT table and postrouting chain for source address translation.
Enable IP forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_forwardCreate a NAT table with masquerading:
# nft add table inet nat
# nft add chain inet nat postrouting '{ type nat hook postrouting priority srcnat; }'
# nft add rule inet nat postrouting oifname "eth0" masqueradeConfigure destination NAT for port forwarding:
# nft add chain inet nat prerouting '{ type nat hook prerouting priority dstnat; }'
# nft add rule inet nat prerouting tcp dport 8080 dnat to 192.168.1.100:80Migrating from iptables
Translation tools convert existing iptables rules to nftables format. Export current rules with iptables-save:
# iptables-save > /root/iptables.rulesTranslate the exported rules:
# iptables-restore-translate -f /root/iptables.rules > /etc/nftables/converted.nftImport the converted ruleset:
# nft -f /etc/nftables/converted.nftSaving and Restoring Rules
Export the current ruleset to a file:
# nft list ruleset > /etc/nftables/backup.nftRestore rules from a backup:
# nft -f /etc/nftables/backup.nftClear all existing rules:
# nft flush rulesetConfigure persistent rules by editing /etc/nftables.conf. The nftables service loads this file at boot.
FAQs
Add a drop rule with the source address: nft add rule inet my_table input ip saddr 192.168.1.50 drop. Create the table and input chain first if they do not exist.
nftables offers unified IPv4/IPv6 handling, multiple actions per rule, atomic updates, and improved performance. It uses a single tool instead of separate utilities for each protocol.
Run nft list ruleset to display all tables, chains, and rules. Add the -a flag to include rule handles for management operations.
Yes. Firewalld uses nftables as its default backend on modern distributions. Both tools can manage the same kernel infrastructure but avoid running conflicting configurations.
Save rules to /etc/nftables.conf and enable the nftables systemd service. The service loads this configuration file automatically at system boot.
