nft Command: Tutorial & Examples
Configure the kernel's firewall
nftables
is a packet filtering framework that can be used to configure open ports on a Linux system. It is a successor to the iptables
firewall and is
designed to be easier to use and more powerful than its predecessor.
You can use the nft
command to configure your firewall rules: To open a port, you can use the add rule command followed by the inet family and the tcp or udp protocol, depending
on the type of port you want to open. For example, to open TCP port 80 for HTTP traffic, you could use the following command:
nft add rule inet tcp dport 80 accept
You can also specify a specific IP address or network to which the port should be open. For example, to open TCP port 80 only to connections from the IP address 192.168.0.1
, you
could use the following command:
nft add rule inet tcp dport 80 ip saddr 192.168.0.1 accept
It is important to configure open ports carefully because they can pose a security risk if not properly secured. By only opening the ports that are necessary for your system to function, you can reduce the risk of unauthorized access to your system.
For example, if you are running a web server, you will likely need to open port 80 (HTTP) and/or port 443 (HTTPS) for incoming traffic. However, if you do not need to run any other services, you should not open any other ports. This helps to reduce the risk of attackers being able to access your system through open ports that are not being used.
To display the current configuration, you can use the following command:
nft list ruleset
The output will look similar to this:
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
iifname "lo" accept
iifname "wg0" accept
ip saddr 10.1.0.0/24 accept
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
tcp dport { 22, 143 } accept
tcp dport { 80, 443 } accept
udp dport { 80, 443 } accept
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
}
}
table ip6 nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
}
}