nftables is the successor to iptables, providing a simpler and more powerful framework for packet filtering and classification. It offers improved performance and a unified interface for IPv4, IPv6, and ARP filtering.
📑 Table of Contents
Key Features
- Unified Framework: Single tool for all protocols
- Atomic Updates: Apply rule changes instantly
- Sets and Maps: Efficient data structures
- Improved Syntax: More readable configuration
- Verdict Maps: Advanced matching capabilities
Installation
Install nftables on Ubuntu:
sudo apt update
sudo apt install nftables
sudo systemctl enable nftablesUsage Examples
nftables configuration:
#!/usr/sbin/nft -f
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
iifname "lo" accept
tcp dport { 22, 80, 443 } accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}Benefits
nftables modernizes Linux firewalling with cleaner syntax and better performance. Its atomic updates prevent rule inconsistencies during changes.
Was this article helpful?