How to use nftables as a modern firewall

· Category: Linux

Short answer

nftables is the modern Linux firewall framework that replaces iptables with a unified syntax and better performance.

Steps

  1. Create a table:
sudo nft add table inet filter
  1. Add a chain:
sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
  1. Add rules:
sudo nft add rule inet filter input tcp dport 22 accept
  1. Save and restore:
sudo nft list ruleset > /etc/nftables.conf

Tips

  • inet family handles both IPv4 and IPv6 in one table.
  • Use sets and maps for efficient rule matching.
  • Many distributions now default to nftables under the hood.

Common issues

  • Syntax errors in ruleset files prevent loading.
  • Conflicts with legacy iptables rules if both are active.