Programster's Blog

Tutorials focusing on Linux, programming, and open-source

Nftables Cheatsheet

Table of Contents

  1. Getting Started
    1. Installation
    2. Enable And Start Nftables
  2. Table Commands
    1. List Tables
    2. Add Table
    3. Delete Table
  3. Import / Export
    1. Import
    2. Export
    3. Make Rules Persistent
    4. Schema
    5. Port iptables to nftables
  4. Nftables Families
  5. Nftables and Docker

Getting Started  

Installation  

On Debian/Ubuntu based systems, you should be able to install nftables by running:

 sudo apt update && sudo apt install nftables

Debian documentation states that nftables is used by default as of Debian 10 Buster, but when I tried to run any nft commands, they wouldn't work and I still needed to install the nftables package. It looks like Debian is using nftables in the kernel backend, but still operating using iptables userspace syntax. I may be wrong, and appear to not be the only one confused by this. If you know better, please post in the comments.

Enable And Start Nftables  

sudo systemctl enable nftables
sudo systemctl start nftables

Terms

Chain "Priority"

When creating chains, you will need to assign a priority. The priority needs to be 0 or above, and chains with a lower priority get processed first. Thus, you may wish to think of it as "order" rather than "priority".

Import / Export

Import

Import NFT File Ruleset

sudo nft --file ruleset.nft

Also, if you want to read from stdin, you can do so like so:

cat ruleset.nft | sudo nft --file -

Import JSON File Ruleset

sudo nft --json --file rules.json

Also, if you want to read from stdin, you can do so like so:

cat ruleset.json | sudo nft --json --file -

Export

Export NFT

To export the rules, one can do the following:

sudo nft list ruleset > ruleset.nft

Export JSON

If you want to export the rules in JSON format, add the --json flag like so:

sudo nft --json list ruleset > ruleset.json

This will output the rules in a compressed JSON format. If you want to be able to easily be able to read/edit the rules, you can use the jq tool like so:

sudo nft --json list ruleset | jq . > ruleset.json

You may need to install jq by running: sudo apt install jq -y

Make Rules Persistent

The rules defined within the configuration file at /etc/nftables.conf are what are used when a server restarts. Thus, we can use the export command and a few manual additions to overwrite this configuration file to make our dynamically added rules permanent like so:

# First set the shebang
echo '#!/usr/sbin/nft -f' > ruleset.nft

# Tell nftables to reset
echo "flush ruleset" >> ruleset.nft

# Add the existing rules after a spacer/newline
echo "" >> ruleset.nft
nft list ruleset >> ruleset.nft

# Overwrite the configuration file with our generated file.
mv ruleset.nft /etc/nftables.conf

Schema

Information about the JSON schema can be found online.

Port iptables to nftables  

You can use the following command to install a porting tool

sudo apt install iptables-nftables-compat

Use the following command to create a dump/backup of your existing iptables rules

sudo iptables-save > iptables.dump

Use the porting tool we installed earlier to port the iptables rules over to nftables rules:

sudo iptables-restore-translate -f iptables.dump > ruleset.nft

Use the following command to import the nftables.

sudo nft --file ruleset.nft

The shorthand to --file is just -f.

Table Commands

List Tables  

You can use the following command to list your tables:

sudo nft list tables

Add Table

ADDRESS_FAMILY="inet"
TABLE_NAME="my_table"
sudo nft add table $ADDRESS_FAMILY $TABLE_NAME

Refer to Nftables Families section for more info on ADDRESS_FAMILY

Delete Table

ADDRESS_FAMILY="inet"
TABLE_NAME="my_table"
sudo nft delete table $ADDRESS_FAMILY $TABLE_NAME

Refer to Nftables Families section for more info on ADDRESS_FAMILY

Chain Commands

Chains filter packets and live under tables. You attach each rule to a chain so that packets are caught in the chains filter and are subsequently passed to the chain's rules.

Create Base Chain

Base chains act as entry points for packets coming from the network stack.

ADDRESS_FAMILY="inet"
TABLE_NAME="my_table"
CHAIN_NAME="my_chain"
TYPE="filter"
HOOK="input"
PRIORITY=0
sudo nft add chain $ADDRESS_FAMILY $TABLE_NAME $CHAIN_NAME '{type $TYPE hook $HOOK priority $PRIORITY; }'

Create Regular Chain

Regular chains do not act as filters, but can act as jump targets. They can help with controlling the flow and organization of your nftables.

ADDRESS_FAMILY="inet"
TABLE_NAME="my_table"
CHAIN_NAME="my_chain"
sudo nft add chain $ADDRESS_FAMILY $TABLE_NAME $CHAIN_NAME

Nftables Families  

Netfilter enables filtering at multiple networking levels. With iptables there is a separate tool for each level: iptables, ip6tables, arptables, ebtables. With nftables the multiple networking levels are abstracted into families, all of which are served by the single tool nft. The following are descriptions of current nftables families, but additional families may be added in the future.

  • ip
    • Tables of this family see IPv4 traffic/packets. The iptables tool is the legacy x_tables equivalent.
  • ip6
    • Tables of this family see IPv6 traffic/packets. The ip6tables tool is the legacy x_tables equivalent.
  • inet
    • Tables of this family see both IPv4 and IPv6 traffic/packets, simplifying dual stack support.
  • arp
    • Tables of this family see ARP-level (i.e, L2) traffic, before any L3 handling is done by the kernel. The arptables tool is the legacy x_tables equivalent.
  • bridge
    • Tables of this family see traffic/packets traversing bridges (i.e. switching). No assumptions are made about L3 protocols.
  • netdev
    • The netdev family is different from the others in that it is used to create base chains attached to a single network interface. Such base chains see all network traffic on the specified interface, with no assumptions about L2 or L3 protocols. Therefore you can filter ARP traffic from here. There is no legacy x_tables equivalent to the netdev family.

Nftables and Docker  

Docker manipulates iptables for the networking to "magically" work. It is currently configured to only work with iptables and not nftables. However you may be able to work around this. Please refer to the following resources:

As others have pointed out, it is probably easiest to leave nftables out of the server running docker, and have an external firewall service that you use to manage the traffic going into and out of your server.

References  

Last updated: 6th April 2023
First published: 20th April 2022