How to Use the Command 'nft' (with Examples)
- Linux
- December 17, 2024
Nftables is a subsystem of the Linux kernel that provides powerful tools for network packet filtering. It replaces the older iptables and offers a more unified and structured framework to manage firewall rules. Nftables allows users to configure tables, chains, and rules efficiently, acting as a central component for network security on Linux systems.
View Current Configuration
Code:
sudo nft list ruleset
Motivation:
When working with network security and firewalls, it’s essential to know the current configuration of your network ruleset. This command helps administrators quickly audit and review all existing firewall rules, providing a snapshot of the current security standing of the system.
Explanation:
sudo
: This ensures that the command runs with elevated privileges, as changing or viewing firewall rules typically requires root access.nft
: The command-line tool used to configure Linux kernel firewall rules.list ruleset
: This option lists all currently applied nftables rules across all tables and chains in detail.
Example Output:
Listing the current ruleset may output a structured view of tables, chains, and rules, such as:
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
tcp dport {22, 80, 443} accept
}
}
Add a New Table with Family “inet” and Table “filter”
Code:
sudo nft add table inet filter
Motivation:
Creating a new table is the foundational step in setting up nftables, as tables act as containers for chains and rules. Specifying the “inet” family allows handling both IPv4 and IPv6 traffic seamlessly within the same set of rules.
Explanation:
sudo
: Ensures the command is executed with root-like privileges.nft add table
: A command to add a new table within the nftables framework.inet
: The Internet address family that simplifies rule management by unifying IPv4 and IPv6.filter
: An arbitrary name for the table where filtering rules will be placed.
Example Output:
No output is returned, but the table is created, allowing further rule configuration.
Add a New Chain to Accept All Inbound Traffic
Code:
sudo nft add chain inet filter input { type filter hook input priority 0; policy accept; }
Motivation:
Blocking or allowing traffic through chains is fundamental to securing a network. This example is critical for setting up a basic chain that processes inbound packets, setting up the stage for specific rule definitions either to filter or allow traffic.
Explanation:
sudo
: Grants necessary permissions for making changes to nftables.nft add chain
: Adds a new chain to the specified table.inet filter input
: Specifies the family and table with a chain named ‘input’ focused on incoming packets.type filter hook input priority 0
: Defines it as a filtering chain, using the ‘input’ hook with the default processing priority.policy accept
: Sets the chain’s default policy to accept packets unless explicitly filtered otherwise.
Example Output:
Creating a chain typically does not produce output, but it becomes part of the ruleset for future operations.
Add a New Rule to Accept Several TCP Ports
Code:
sudo nft add rule inet filter input tcp dport { telnet, ssh, http, https } accept
Motivation:
Managing traffic to specific services is crucial for security and functionality. By explicitly allowing traffic to known and expected services like SSH and HTTP, network administrators can control and secure access while letting through essential protocols.
Explanation:
sudo
: Executes the command with the needed elevated rights.nft add rule
: Indicates adding a rule to an existing chain in the nftables framework.inet filter input
: Targets the previously configured table and chain for inbound traffic.tcp dport { telnet, ssh, http, https }
: Specifies a set of TCP destination ports (services) to accept, translated into the ports associated with telnet, SSH, HTTP, and HTTPS.accept
: The action to perform when the condition is met, here to allow the traffic through.
Example Output:
No output is generated, but the rule becomes active within the specified chain.
Add a NAT Rule to Translate Traffic
Code:
sudo nft add rule nat postrouting ip saddr 192.168.0.0/24 masquerade
Motivation:
Network Address Translation (NAT) allows private IP addresses within a subnet to be translated into a publicly routable IP, crucial for conserving public IP addresses and enabling devices within a private network to access external networks.
Explanation:
sudo
: Executes the command as a superuser.nft add rule
: Commands nftables to insert a new rule.nat postrouting
: Specifies manipulation of outgoing packets (post-routing phase within NAT).ip saddr 192.168.0.0/24
: Targets the source IP from a specified private IP range.masquerade
: Dynamically translates the source address to the public-facing IP interface of the host.
Example Output:
While there’s no printed output, the rule effectively translates specified network traffic, as monitored by packet inspection tools.
Show Rule Handles
Code:
sudo nft --handle --numeric list chain family table chain
Motivation:
Every rule in nftables comes with a handle - an identifier that makes rules easier to manage, especially when dealing with complex systems. It simplifies editing or deleting rules, allowing administrators to pinpoint specific rules quickly.
Explanation:
sudo
: Grants necessary administrative permissions.nft --handle
: Requests the inclusion of handle identifiers with the rule list.--numeric
: Ensures any network addresses or ports are displayed in numerical form for clarity.list chain family table chain
: Outputs rules from a specific chain within a specified family and table.
Example Output:
The command lists out rules with their handles. A typical output might look as follows:
chain input {
type filter hook input priority 0; policy accept;
handle 5
tcp dport {22, 23, 80, 443} accept handle 7
}
Delete a Rule
Code:
sudo nft delete rule inet filter input handle 3
Motivation:
Removing rules is necessary when configurations are tested and rolled back, or when cleaning up obsolete rules. Utilizing rule handles provides an accurate and efficient way to make deletions without needing to match rule specifications verbatim.
Explanation:
sudo
: Signifies running with superuser privileges.nft delete rule
: Commands the deletion of a specific rule.inet filter input
: Specifies the table and chain from which to remove the rule.handle 3
: Identifies the exact rule to delete by its unique handle number.
Example Output:
The rule with handle ‘3’ in the specified chain and table is removed silently with no output.
Save Current Configuration
Code:
sudo nft list ruleset > /etc/nftables.conf
Motivation:
Preserving the current configuration is critical for disaster recovery and configuration management. By storing the configuration in a file, administrators can ensure that the rules persist through reboots and are easily replicable on other systems.
Explanation:
sudo
: Runs the command with root access.nft list ruleset
: Outputs all defined nftables rules.>
: A redirection operator that funnels the output into a specified file./etc/nftables.conf
: The target path for storing the ruleset, typically used for the nftables startup script.
Example Output:
No output is directly shown; however, the ruleset file is populated with the current configuration, as observed by viewing the contents of /etc/nftables.conf
.
Conclusion:
This article has provided a comprehensive overview of nftables with practical use cases, demonstrating essential command applications from listing rules to managing NAT configurations. Understanding these commands empowers system administrators to effectively manage and secure Linux-based network environments. Nftables, with its added efficiency and structured approach, represents a modern evolution of Linux firewall utilities.