search

nftables

hashtag
Notes

hashtag
Examples

sudo nft add table ip <RULE_NAME>

sudo nft add chain ip <RULE_NAME> FILTER { type filter hook input priority 0 \; policy accept \; }

sudo nft add rule ip <RULE_NAME> FILTER tcp sport {ssh, telnet, 3389, 6010-6050} ct state {new, established} accept

sudo nft list ruleset

sudo nft add chain ip <RULE_NAME> FILTER1 { type filter hook output priority 0 \; policy accept \; }

sudo nft list ruleset

sudo nft add rule ip <RULE_NAME> FILTER1 tcp sport {ssh, telnet, 3389, 6010-6050} ct state {new, established} accept

sudo nft add rule ip <RULE_NAME> FILTER tcp dport {ssh, telnet, 3389, 6010-6050} ct state {new, established} accept

sudo nft add rule ip <RULE_NAME> FILTER1 tcp dport {ssh, telnet, 3389, 6010-6050} ct state {new, established} accept

hashtag
NFTable Families

ip - IPv4 packets

ip6 - IPv6 packets

inet - IPv4 and IPv6 packets

arp - layer 2

bridge - processing traffic/packets traversing bridges.

netdev - allows for user classification of packets - nftables passes up to the networking stack (no counterpart in iptables)

There are three chain types:

filter - to filter packets - can be used with arp, bridge, ip, ip6, and inet families

route - to reroute packets - can be used with ip and ipv6 families only

nat - used for Network Address Translation - used with ip and ip6 table families only

hashtag
CREATION OF HOOKS

PREROUTING

POSTROUTING

INPUT

OUTPUT

FORWARD

INGRESS - used with NETDEV family only

hashtag
1. CREATE THE TABLE

nft add table [family] [table]

[family]

Represents the network protocol family such as ip, ip6, inet, arp, bridge, and netdev.

[table]

Denotes a user-provided name for the table.

hashtag
2. CREATE THE BASE CHAIN

nft add chain [family] [table] [chain] { type [type] hook [hook] priority [priority] ; policy [policy] ;}

[chain]

User-defined name for the chain.

[type]

Represents the type of chain, which can be filter, route, or nat.

[hook]

Specifies the hook at which the chain should be activated, such as prerouting, ingress, input, forward, output, or postrouting.

[priority]

User-provided integer representing the priority of the rule. Lower number indicates higher priority. Default is 0. Use "--" before negative numbers.

; [policy] ;

Used to set the policy for the chain, which can be accept (default) or drop.

Use "" to escape the ";" in bash

hashtag
3. CREATE A RULE IN THE CHAIN

nft add rule [family] [table] [chain] [matches (matches)] [statement]

[matches]

Typically represents protocol headers (e.g., ip, ip6, tcp, udp, icmp, ether, etc.).

(matches)

Refers to specific matches within the [matches] field.

[statement]

Specifies the action performed when a packet is matched. Examples include log, accept, drop, reject, counter, nat (dnat, snat, masquerade).

hashtag
MODIFY NFTABLES

Adds after position

Inserts before position

Replaces rule at handle

Deletes rule at handle

hashtag
Save/Load nftables

Save the nftables rules:

Load the saved nftables configuration using the nft command:

hashtag
Filter for SSH Traffic (Example)

hashtag
Rules

Host A:

Host B:

Host A:

Host B:

Host A:

Host B:

Host A:

Host B:

hashtag
NAT, PAT, and NAT Port Forwarding (Examples)

Enable IP Forwarding:

1-to-1 NAT (for the servers if you have extra IP's)

PAT (for the clients)

Port Forward (for the servers if you don't have extra IP's)

PreviousFilter for SSH Traffic (Example)NextPacket Capture

Last updated