Linux Tactic

Master Network Security with Nftables: The Must-Know Tool for System Administrators

Introduction to Nftables

As networks and security threats continue to become more complex, it is becoming increasingly important to have a reliable and configurable firewall. Although iptables has been the go-to firewall for Linux distributions for many years, the new nftables is gaining ground as a solid replacement.

Nftables is a Linux firewall, which provides extended functionality and improved efficiency over its predecessor. In this tutorial, we will explore how to create nftable rules and apply them to create a secure firewall.

This guide is intended for experienced and new Linux users looking to learn how to create nftables firewall rules.

Getting Started with Nftables

Creating a new file for Nftables rules

Before we begin, let’s create a new file to store your nftable rules. You can use any text editor like nano or vi, and run the sudo command to edit the file as a superuser.

Example of a simple, restrictive firewall

A restrictive firewall is one that blocks all incoming traffic except for a few allowed ports. For example, our firewall might allow incoming traffic on ports 80 and 443.

To create this rule, use the following syntax:

nft add rule IP filter input tcp dport {80, 443} accept

Defining local network and port group variables

We can use a variable to define the local network or allowed ports to make our code more manageable. For example:

define LocalNetwork = {}

define AllowPorts = {80, 443}

Working with tables and base chains

Nftables uses tables and base chains to handle different types of traffic. A table groups a set of related rules together, and each table can contain different chains.

A base chain is a pre-defined chain in the nftables kernel that allows packets to be filtered and manipulated before being sent out of the firewall.

Here’s an example of a table that is meant to be restrictive in nature:

table filter {

chain Restrictive {

type filter hook input priority 0; policy drop;

chain Incoming {

type filter hook input priority 0;

iifname lo accept

tcp dport @AllowPorts accept

udp dport @AllowPorts accept



chain Forward {

type filter hook forward priority 0; policy drop;



chain Redirect {

type nat hook prerouting priority 0;



chain Outgoing {

type filter hook output priority 0;

oifname lo accept





Allowing loopback traffic

In our example, we allow loopback traffic on the Incoming and Outgoing chains. This is important as it allows processes running on the same machine to communicate with each other.

Allowing TCP and UDP traffic through specific ports

We also allow traffic through specific TCP and UDP ports using the @AllowPorts variable we defined earlier. In our example, we allowed traffic on ports 80 and 443.


Nftables is a powerful tool for creating firewalls on Linux systems. With the ability to define restrictions and variables, you can configure your firewall to your specific needs.

This guide should have given you enough knowledge to get started writing your own nftables rules and apply them to create a secure firewall. Remember, nftables is meant to be an iptables replacement, so consider trying it out on your machines.

Benefits of using Nftables over Iptables

One of the primary benefits of using nftables is its user-friendliness. Nftables rules are written in a simpler and more user-friendly syntax, making it easier to read, write, and update the firewall configurations.

Nftables also has the ability to combine multiple rules into a single statement, meaning that it is far more efficient and faster than iptables, which has to execute rules step-by-step.

In addition, nftables provides superior filtering mechanisms, allowing users to develop and implement finer-grained filtering policies to improve their network security.

This means that you can limit access to specific hosts, ports, protocols or even the operating system to reduce your attack surface. Nftables is also capable of working with connection tracking, which allows for the filtering of packets based on various flow characteristics, such as TCP connections.

Importance of knowing Nftables for professional users

Learning how to use nftables is essential for any system administrator who is responsible for implementing and securing a network environment. As system administrators have the responsibility of designing, maintaining, and protecting networks, it is important to be familiar with the latest firewall systems, such as nftables.

Moreover, nftables is rapidly gaining in popularity, especially due to its compatibility with iptables. This means that knowing how to use nftables can give system administrators an edge in their field, leading to better job opportunities and improved professional growth.

Nftables offers a significant advantage over iptables, as it improves the overall filtering mechanisms, reduces packet processing times, and provides better security options. By being aware of nftables, system administrators can introduce advanced filtering features into their network systems and, at the same time, improve security.

Iptables-nftables-compat tool

As an iptables user, you may not want to make the change immediately to nftables. You may have already set up your iptables to work in a particular way, and it may not be convenient for you to make a transition.

Fortunately, there is a tool for that.

The iptables-nftables-compat tool helps ensure that iptables and nftables coexist.

It provides a translation layer, allowing for iptables syntax to be converted into nftables syntax, allowing them to work together. This means that users who are already familiar with iptables can still make use of their existing rules and policies while gradually exploring the features of nftables.


Nftables is a powerful tool for system administrators looking to implement and secure a network. With its user-friendly syntax and advanced filtering mechanisms, nftables has emerged as a worthy successor to iptables.

By incorporating finer-grained filtering policies, network administrators can improve the security of their networks. Nftables has rapidly become a must-know tool for system administrators, as it provides a significant advantage over its predecessors.

With the help of the iptables-nftables-compat tool, you can make a seamless transition to nftables without disrupting your existing firewall rules and policies. It is clear that knowing how to use nftables can benefit professionals looking to boost their careers and enhance their skills.

In conclusion, nftables is a powerful tool that offers significant advantages over its predecessor, iptables. With user-friendly syntax, advanced filtering mechanisms, and the ability to coexist with iptables using the iptables-nftables-compat tool, nftables is a must-know tool for any system administrator looking to implement and secure a network.

Improved filtering policies, better security options, and faster packet processing times make nftables an essential tool for network security professionals. By learning nftables, professionals can enhance their skills and improve their career prospects.

It is clear that nftables is an essential tool for anyone looking to secure their networks against modern-day threats.

Popular Posts