How to use the command nft (with examples)

How to use the command nft (with examples)

The nft command allows users to configure tables, chains, and rules provided by the Linux kernel firewall. It replaces the older iptables command and offers more flexibility and features for managing network traffic. This article will illustrate various use cases of the nft command along with their corresponding code, motivation, explanation, and example output.

Use case 1: View current configuration

Code:

sudo nft list ruleset

Motivation:

This use case is helpful for users who want to quickly check the current configuration of their nftables. It provides a detailed overview of all the existing tables, chains, and rules.

Explanation:

The list subcommand is used to view the current configuration of nftables. The ruleset argument specifies that we want to see the entire ruleset.

Example output:

table inet filter {
    chain input {
        type filter hook input priority 0; policy accept;
    }
    chain forward {
        type filter hook forward priority 0; policy accept;
    }
    chain output {
        type filter hook output priority 0; policy accept;
    }
}

Use case 2: Add a new table with family “inet” and table “filter”

Code:

sudo nft add table inet filter

Motivation:

Creating a new table allows users to organize their rules in a structured manner. The “inet” family is commonly used for IPv4 and IPv6 networking.

Explanation:

The add table subcommand is used to create a new table. In this case, we are creating a table with the “inet” family and the table name “filter”.

Example output:

No output is generated upon successful execution of this command.

Use case 3: Add a new chain to accept all inbound traffic

Code:

sudo nft add chain inet filter input { type filter hook input priority 0 ; policy accept }

Motivation:

By adding a new chain, users can define specific rules for handling incoming network traffic. In this case, we are creating a chain named “input” to accept all incoming traffic.

Explanation:

The add chain subcommand is used to create a new chain. Here, we are creating a chain named “input” with the filter type. The “hook input” specifies that this chain should be executed for inbound traffic. The “priority 0” indicates the order in which the chain is evaluated. The “policy accept” sets the default action for this chain to accept all packets.

Example output:

No output is generated upon successful execution of this command.

Use case 4: Add a new rule to accept several TCP ports

Code:

sudo nft add rule inet filter input tcp dport { telnet, ssh, http, https } accept

Motivation:

This use case allows users to define rules for accepting incoming connections on specific TCP ports. It provides fine-grained control over network access.

Explanation:

The add rule subcommand is used to create a new rule. Here, we are creating a rule in the “input” chain of the “filter” table. The rule applies to TCP packets arriving at the destination port specified by the “dport” argument. The port numbers are specified in curly braces, separated by commas. The “accept” action allows the packets to pass through.

Example output:

No output is generated upon successful execution of this command.

Use case 5: Add a NAT rule to translate all traffic from the 192.168.0.0/24 subnet to the host’s public IP

Code:

sudo nft add rule nat postrouting ip saddr 192.168.0.0/24 masquerade

Motivation:

This example demonstrates how to set up network address translation (NAT) to masquerade private IP addresses from a specific subnet, allowing them to communicate with external networks using the host’s public IP. This is useful in scenarios where multiple devices in a local network need to access the internet using a single public IP.

Explanation:

The add rule subcommand is used to create a new rule. Here, we are creating a rule in the “postrouting” chain of the “nat” table. The rule applies to IP packets originating from the source address specified by the “saddr” argument, which is the 192.168.0.0/24 subnet. The “masquerade” action performs network address translation, replacing the source IP addresses of the packets with the public IP address of the host.

Example output:

No output is generated upon successful execution of this command.

Use case 6: Show rule handles

Code:

sudo nft --handle --numeric list chain family table chain

Motivation:

This use case allows users to view the handles of the rules in a specific chain. Handles are used to identify individual rules and can be useful for referencing or modifying them.

Explanation:

The --handle flag is used to show the handles of the rules. The --numeric flag ensures that the handles are displayed in numeric format. The “family” argument specifies the network protocol family, such as “inet” for IPv4 and IPv6. The “table” argument specifies the table name, and the “chain” argument specifies the chain name.

Example output:

table ip filter {
    chain input {
        type filter hook input priority 0; policy accept;
        handle 3 tcp dport { 23, 22, 80, 443 } accept
    }
}

Use case 7: Delete a rule

Code:

sudo nft delete rule inet filter input handle 3

Motivation:

Deleting a rule allows users to remove specific rules from their nftables configuration. This can be useful for fine-tuning the firewall rules or correcting any misconfigurations.

Explanation:

The delete rule subcommand is used to remove a rule. Here, we are deleting a rule from the “input” chain of the “filter” table. The “handle” argument specifies the handle identifier of the rule that needs to be deleted.

Example output:

No output is generated upon successful execution of this command.

Use case 8: Save current configuration

Code:

sudo nft list ruleset > /etc/nftables.conf

Motivation:

Saving the current configuration allows users to persist their nftables rules across reboots or system restarts. By saving the ruleset to a configuration file, users can easily restore their desired firewall configuration.

Explanation:

The list ruleset subcommand is used to display the current nftables configuration. The output is then redirected to a file using the > operator. Here, we are redirecting the output to the “/etc/nftables.conf” file, which is commonly used as the configuration file for nftables.

Example output:

No output is generated upon successful execution of this command.

Conclusion:

The nft command provides a powerful and flexible way to configure and manage the Linux kernel firewall. With the examples provided in this article, users can understand the different use cases of the nft command and how to apply them in their own networking environments. Whether it is viewing the current configuration, adding new tables and chains, defining rules, or saving the configuration, the nft command offers a comprehensive set of features for firewall management.

Tags :

Related Posts

How to use the command 'uname' (with examples)

How to use the command 'uname' (with examples)

The ‘uname’ command is used to display information about the current machine and the operating system running on it.

Read More
How to use the command 'kubectl rollout' (with examples)

How to use the command 'kubectl rollout' (with examples)

The kubectl rollout command is used to manage the rollout of Kubernetes resources such as deployments, daemonsets, and statefulsets.

Read More
Using the `toolbox` command (with examples)

Using the `toolbox` command (with examples)

Run a toolbox subcommand To run a subcommand with toolbox, you can simply use the following syntax:

Read More