How to use the command nft (with examples)
- Linux
- December 25, 2023
The nft
command allows users to configure tables, chains, and rules provided by the Linux kernel firewall. It replaces the older iptables
command and offers more flexibility and features for managing network traffic. This article will illustrate various use cases of the nft
command along with their corresponding code, motivation, explanation, and example output.
Use case 1: View current configuration
Code:
sudo nft list ruleset
Motivation:
This use case is helpful for users who want to quickly check the current configuration of their nftables. It provides a detailed overview of all the existing tables, chains, and rules.
Explanation:
The list
subcommand is used to view the current configuration of nftables. The ruleset
argument specifies that we want to see the entire ruleset.
Example output:
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Use case 2: Add a new table with family “inet” and table “filter”
Code:
sudo nft add table inet filter
Motivation:
Creating a new table allows users to organize their rules in a structured manner. The “inet” family is commonly used for IPv4 and IPv6 networking.
Explanation:
The add table
subcommand is used to create a new table. In this case, we are creating a table with the “inet” family and the table name “filter”.
Example output:
No output is generated upon successful execution of this command.
Use case 3: Add a new chain to accept all inbound traffic
Code:
sudo nft add chain inet filter input { type filter hook input priority 0 ; policy accept }
Motivation:
By adding a new chain, users can define specific rules for handling incoming network traffic. In this case, we are creating a chain named “input” to accept all incoming traffic.
Explanation:
The add chain
subcommand is used to create a new chain. Here, we are creating a chain named “input” with the filter type. The “hook input” specifies that this chain should be executed for inbound traffic. The “priority 0” indicates the order in which the chain is evaluated. The “policy accept” sets the default action for this chain to accept all packets.
Example output:
No output is generated upon successful execution of this command.
Use case 4: Add a new rule to accept several TCP ports
Code:
sudo nft add rule inet filter input tcp dport { telnet, ssh, http, https } accept
Motivation:
This use case allows users to define rules for accepting incoming connections on specific TCP ports. It provides fine-grained control over network access.
Explanation:
The add rule
subcommand is used to create a new rule. Here, we are creating a rule in the “input” chain of the “filter” table. The rule applies to TCP packets arriving at the destination port specified by the “dport” argument. The port numbers are specified in curly braces, separated by commas. The “accept” action allows the packets to pass through.
Example output:
No output is generated upon successful execution of this command.
Use case 5: Add a NAT rule to translate all traffic from the 192.168.0.0/24 subnet to the host’s public IP
Code:
sudo nft add rule nat postrouting ip saddr 192.168.0.0/24 masquerade
Motivation:
This example demonstrates how to set up network address translation (NAT) to masquerade private IP addresses from a specific subnet, allowing them to communicate with external networks using the host’s public IP. This is useful in scenarios where multiple devices in a local network need to access the internet using a single public IP.
Explanation:
The add rule
subcommand is used to create a new rule. Here, we are creating a rule in the “postrouting” chain of the “nat” table. The rule applies to IP packets originating from the source address specified by the “saddr” argument, which is the 192.168.0.0/24 subnet. The “masquerade” action performs network address translation, replacing the source IP addresses of the packets with the public IP address of the host.
Example output:
No output is generated upon successful execution of this command.
Use case 6: Show rule handles
Code:
sudo nft --handle --numeric list chain family table chain
Motivation:
This use case allows users to view the handles of the rules in a specific chain. Handles are used to identify individual rules and can be useful for referencing or modifying them.
Explanation:
The --handle
flag is used to show the handles of the rules. The --numeric
flag ensures that the handles are displayed in numeric format. The “family” argument specifies the network protocol family, such as “inet” for IPv4 and IPv6. The “table” argument specifies the table name, and the “chain” argument specifies the chain name.
Example output:
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
handle 3 tcp dport { 23, 22, 80, 443 } accept
}
}
Use case 7: Delete a rule
Code:
sudo nft delete rule inet filter input handle 3
Motivation:
Deleting a rule allows users to remove specific rules from their nftables configuration. This can be useful for fine-tuning the firewall rules or correcting any misconfigurations.
Explanation:
The delete rule
subcommand is used to remove a rule. Here, we are deleting a rule from the “input” chain of the “filter” table. The “handle” argument specifies the handle identifier of the rule that needs to be deleted.
Example output:
No output is generated upon successful execution of this command.
Use case 8: Save current configuration
Code:
sudo nft list ruleset > /etc/nftables.conf
Motivation:
Saving the current configuration allows users to persist their nftables rules across reboots or system restarts. By saving the ruleset to a configuration file, users can easily restore their desired firewall configuration.
Explanation:
The list ruleset
subcommand is used to display the current nftables configuration. The output is then redirected to a file using the >
operator. Here, we are redirecting the output to the “/etc/nftables.conf” file, which is commonly used as the configuration file for nftables.
Example output:
No output is generated upon successful execution of this command.
Conclusion:
The nft
command provides a powerful and flexible way to configure and manage the Linux kernel firewall. With the examples provided in this article, users can understand the different use cases of the nft
command and how to apply them in their own networking environments. Whether it is viewing the current configuration, adding new tables and chains, defining rules, or saving the configuration, the nft
command offers a comprehensive set of features for firewall management.