User Tools

Site Tools


If you want to send us your comments, please do so. Thanks
More on comments


To manage nftables run nft
nft is an administration tool of the nftables framework for packet filtering and classification



ctselector for state tracking information. Also named conntrack or ct information. Netfilter collects it through the Connection Tracking System to deploy stateful firewalls


With aptitude uninstall iptables and install nftables

aptitude remove iptables ufw
aptitude install nftables

Check if the nftabels kernel module is installed

modinfo nf_tables
lsmod | grep nf_tables

Restart nftables

systemctl restart nftables.service

Show the status

systemctl status nftables.service


When working with chains the family is optional and defaults to “ip”

nft list rulesetShow the current rules
nft list tables
nft list table ip filterList the chains and rules in the table “filter” of family “ip” (alternative ip6)
nft list table inet filter
nft delete table ip6 filterDelete the table “filter” of family “ip6”
nft flush rulesetWarning: Clear the whole ruleset. This will remove all tables and whatever they contain, leading to an empty ruleset. No packet filtering will happen anymore
nft flush ip6 filterDelete all rules in table “filter” of family “ip6”
nft flush chain chainname inputDelete all rules in chain “chainname” in table “input”
nft list chain ip filter FORWARDList the rules in the chain “FORWARD” in the table “filter” of family “ip”
nft flush chain ip filter ufw-before-logging-inputDelete all the rules in chain “ufw-before-logging-input” in the table “filter” of family “ip”
nft delete chain ip filter ufw-before-logging-inputchains need to be empty before they can be removed
systemctl enable --now nftables.serviceAutostart nftables at system boot. Should result in "Created symlink /etc/systemd/system/ → /lib/systemd/system/nftables.service. root@hostname:/home/user#"


Example scripts can be found in /usr/share/doc/nftables/examples/

Default script

#!/usr/sbin/nft -f
flush ruleset
define tcp_services = { ssh, 22 }
# Other example
#define tcp_services = { ssh, 22, http, 80, https, 443 }
table inet filter {
  chain input {
    type filter hook input priority 0;
    # accept any localhost traffic
    iif lo accept
    # accept traffic originated from us
    ct state established,related accept
    # activate the following line to accept common local services
    tcp dport { ssh, 80, 443 } ct state new accept
    # accept neighbour discovery otherwise IPv6 connectivity breaks.
    ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept
    # count and drop any other traffic
    counter drop
  chain forward {
    type filter hook forward priority 0;
  chain output {
    type filter hook output priority 0;


The statement define tcp_services may only occur once


Do not forget to enable forwarding via

echo 1 > /proc/sys/net/ipv4/ip_forward


# nft delete chain ip filter ufw-before-input
Error: Could not process rule: Device or resource busy
delete chain ip filter ufw-before-input

The chain is not empty. Make it empty and then delete it again

nftables beginners guide to traffic filtering
Simple rule management
simple nftables config
iptables tutorial 1.2.2 chapter 7. The state machine. With the explanation of user-land states like NEW, ESTABLISHED and RELATED

firewalld is a dynamically managed firewall

Main subjects on this wiki: Linux, Debian, HTML, Microcontrollers, Privacy

Privacy statement
Bugs statement
Copyright © : 2014 - 2022 and the authors
Changes reserved.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
network_nftables.txt · Last modified: 28-11-2021 11:46 by wim