How To Install nftables in Linux Systems

nftables is the modern replacement for iptables, offering a unified and simplified syntax for managing firewall rules. This guide explains how to install, enable, and configure nftables across major Linux distributions.

Debian-Based Distributions

• Update packages: sudo apt update
• Install nftables: sudo apt install nftables
• Enable and start:
  sudo systemctl enable nftables
sudo systemctl start nftables
• Check status: sudo systemctl status nftables

Red Hat-Based Distributions

• Install nftables:
  sudo dnf install nftables (modern systems)
  sudo yum install nftables (older systems)
• Enable and start:
  sudo systemctl enable nftables
sudo systemctl start nftables
• Check status: sudo systemctl status nftables

Arch-Based Distributions

• Install nftables: sudo pacman -S nftables
• Enable and start:
  sudo systemctl enable nftables.service
sudo systemctl start nftables.service
• Check status: sudo systemctl status nftables.service

openSUSE-Based Distributions

• Install nftables: sudo zypper install nftables
• Enable and start:
  sudo systemctl enable nftables
sudo systemctl start nftables
• Check status: sudo systemctl status nftables

Setting Up a Basic nftables Table and Chain

• Create a table for IPv4:
  sudo nft add table ip filter
• Create a chain attached to the table:
  sudo nft 'add chain ip filter input { type filter hook input priority 0; policy accept; }'
• Adjust the default policy as needed (e.g., drop to block unsolicited connections).

Common nftables Rule Examples

• Allow SSH (22): sudo nft add rule ip filter input tcp dport 22 accept
• Allow HTTP (80): sudo nft add rule ip filter input tcp dport 80 accept
• Allow HTTPS (443): sudo nft add rule ip filter input tcp dport 443 accept
• Allow port 8080: sudo nft add rule ip filter input tcp dport 8080 accept
• Deny port 8080: sudo nft add rule ip filter input tcp dport 8080 drop
• Delete a rule by handle:
  List rules: sudo nft -a list ruleset
  Delete: sudo nft delete rule ip filter input handle 5

Basic nftables Configuration Commands

• List ruleset: sudo nft list ruleset
• Save ruleset:
  sudo nft list ruleset > /etc/nftables.conf
• Load ruleset:
  sudo nft -f /etc/nftables.conf

Important Notes

• Unified syntax: nftables manages both IPv4 and IPv6 with a single configuration.
• Kernel requirement: Linux kernel 3.13 or later is needed for full nftables support.
• Persistence: Save rules to /etc/nftables.conf to ensure they reload after reboot.
• Verification: Always check your rules with sudo nft list ruleset after changes.

By installing and configuring nftables, you gain a modern and efficient firewall solution for Linux. Its unified syntax and flexibility make it easier to manage complex rulesets compared to older tools.

Regularly saving and reviewing your nftables configuration ensures your system remains secure, consistent, and tailored to your network needs.