nft Command: Tutorial & Examples

Configure the kernel's firewall

nftables is a packet filtering framework that can be used to configure open ports on a Linux system. It is a successor to the iptables firewall and is designed to be easier to use and more powerful than its predecessor.

You can use the nft command to configure your firewall rules: To open a port, you can use the add rule command followed by the inet family and the tcp or udp protocol, depending on the type of port you want to open. For example, to open TCP port 80 for HTTP traffic, you could use the following command:

nft add rule inet filter input tcp dport 80 accept

You can also specify a specific IP address or network to which the port should be open. For example, to open TCP port 80 only to connections from the IP address 192.168.0.1, you could use the following command:

nft add rule inet filter input tcp dport 80 ip saddr 192.168.0.1 accept

It is important to configure open ports carefully because they can pose a security risk if not properly secured. By only opening the ports that are necessary for your system to function, you can reduce the risk of unauthorized access to your system.

For example, if you are running a web server, you will likely need to open port 80 (HTTP) and/or port 443 (HTTPS) for incoming traffic. However, if you do not need to run any other services, you should not open any other ports. This helps to reduce the risk of attackers being able to access your system through open ports that are not being used.

To display the current configuration, you can use the following command:

nft list ruleset

The output will look similar to this:

table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ct state established,related accept
                ct state invalid drop
                iifname "lo" accept
                iifname "wg0" accept
                ip saddr 10.1.0.0/24 accept
                ip protocol icmp limit rate 4/second accept
                ip6 nexthdr ipv6-icmp limit rate 4/second accept
                ip protocol igmp limit rate 4/second accept
                tcp dport { 22, 143 } accept
                tcp dport { 80, 443 } accept
                udp dport { 80, 443 } accept
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
table ip nat {
        chain prerouting {
                type nat hook prerouting priority filter; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
        }
}
table ip6 nat {
        chain prerouting {
                type nat hook prerouting priority filter; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
        }
}
Except where otherwise noted, content on this site is licensed under a CC BY-SA 4.0 license CC BY SA