nftables explained conceptually

Topic: Networking basics

nftables is the modern Linux packet filter: tables, chains, and rules in a unified syntax. It replaces iptables and can translate iptables rules. Learn the model (table, chain, rule) and how to read nft list ruleset so you can verify rules and migrate. Use this when configuring or debugging nftables or when moving from iptables.

Intent: How-to

Quick answer

  • Tables contain chains; chains have type (filter, nat) and hook (input, output, forward). Rules in a chain have match expressions and a verdict (accept, drop). Syntax: nft add table inet filter; nft add chain inet filter input { type filter hook input priority 0; policy drop; }; nft add rule inet filter input tcp dport 22 accept.
  • One tool for IPv4 and IPv6 (inet family); rules are added in order; first match wins. Use nft list ruleset to see the full config; persist by writing to a file and loading at boot.
  • Prefer nftables for new host firewalls when not using UFW; allow established/related and then allow specific ports; default policy drop on input so only allowed traffic is accepted.

Prerequisites

Steps

  1. Understand table and chain

    Table: namespace (e.g. inet filter). Chain: belongs to a table, has type (filter, nat) and hook (input, output, forward); priority orders chains; policy (accept/drop) when no rule matches. Example: inet filter input chain for inbound IPv4/IPv6.

  2. Understand rule syntax

    Rule: match expression (e.g. ip saddr 10.0.0.0/8, tcp dport 22) and verdict (accept, drop). nft add rule inet filter input ct state established,related accept; nft add rule inet filter input tcp dport 22 accept; nft add rule inet filter input drop.

  3. List and persist

    nft list ruleset shows all tables, chains, and rules. To persist: nft list ruleset > /etc/nftables.conf; load at boot with a systemd unit or an init script that runs nft -f /etc/nftables.conf.

  4. Relate to iptables

    nftables can replace iptables; iptables-translate converts some iptables rules to nft. Concepts are the same (tables, chains, order, stateful); syntax is different and more consistent.

Summary

nftables is the current Linux packet filter: tables, chains (with hooks and priority), and rules with match and verdict. Use it for new host firewalls when not using UFW. Use this to read and write nftables rules and to understand how they replace iptables.

Prerequisites

Steps

Step 1: Understand table and chain

  • Table: e.g. inet filter (IPv4+IPv6).
  • Chain: has type (filter, nat), hook (input, output, forward), and optional priority. Policy (accept/drop) is used when no rule matches.

Step 2: Understand rule syntax

nft add rule inet filter input ct state established,related accept
nft add rule inet filter input tcp dport 22 accept
nft add rule inet filter input drop

Rules are evaluated in order; first match wins. Allow established/related first, then specific ports, then drop the rest.

Step 3: List and persist

nft list ruleset
nft list ruleset > /etc/nftables.conf

Load at boot: nft -f /etc/nftables.conf from systemd or an init script.

Step 4: Relate to iptables

nftables supersedes iptables. Concepts (tables, chains, stateful) are similar; syntax is different. Tools like iptables-translate can help convert simple iptables rules.

Verification

  • You can list the ruleset and add a rule that allows a port; you know how to persist the config.

Troubleshooting

Rules not persistent — Ensure a boot script or systemd unit runs nft -f /etc/nftables.conf; some distros use a different path or script.

Locked out — Use console; flush or add an allow rule for SSH; reload from a saved file that includes the allow.

Next steps

Continue to