Cheat sheet

nftables

Modern Linux firewall — tables, chains, rules, NAT, and iptables migration.

Inspect & list

# Full ruleset
nft list ruleset

# All tables
nft list tables

# Single table
nft list table inet filter

# Single chain
nft list chain inet filter input

Tables & chains

# Create a table (inet = IPv4+IPv6)
nft add table inet filter

# Add a base chain (hook + priority)
nft add chain inet filter input \
  '{ type filter hook input priority 0; policy drop; }'

nft add chain inet filter forward \
  '{ type filter hook forward priority 0; policy drop; }'

nft add chain inet filter output \
  '{ type filter hook output priority 0; policy accept; }'

Add rules

# Allow established/related traffic
nft add rule inet filter input \
  ct state established,related accept

# Allow SSH
nft add rule inet filter input \
  tcp dport 22 accept

# Allow HTTP + HTTPS
nft add rule inet filter input \
  tcp dport { 80, 443 } accept

# Allow ICMP (ping)
nft add rule inet filter input \
  icmp type echo-request accept

# Drop everything else (explicit)
nft add rule inet filter input drop

Delete & flush

# Delete a specific rule by handle
nft list ruleset -a          # find the handle number
nft delete rule inet filter input handle 5

# Flush all rules in a chain
nft flush chain inet filter input

# Flush entire table
nft flush table inet filter

# Wipe everything
nft flush ruleset

NAT / masquerade

# Create NAT table
nft add table ip nat
nft add chain ip nat prerouting \
  '{ type nat hook prerouting priority -100; }'
nft add chain ip nat postrouting \
  '{ type nat hook postrouting priority 100; }'

# Masquerade outbound (SNAT)
nft add rule ip nat postrouting \
  oifname "eth0" masquerade

# DNAT: forward port 8080 → internal host
nft add rule ip nat prerouting \
  tcp dport 8080 dnat to 192.168.1.10:80

Sets & rate limiting

# Named set of blocked IPs
nft add set inet filter blocklist \
  '{ type ipv4_addr; }'
nft add element inet filter blocklist \
  { 1.2.3.4, 5.6.7.8 }
nft add rule inet filter input \
  ip saddr @blocklist drop

# Rate-limit new connections (SYN flood protection)
nft add rule inet filter input \
  tcp flags syn \
  limit rate 100/second burst 200 packets accept

Persistence

# Save current ruleset
nft list ruleset > /etc/nftables.conf

# Restore from file
nft -f /etc/nftables.conf

# Enable on boot (systemd)
systemctl enable nftables
systemctl start nftables

iptables equivalents

# iptables → nftables migration tool
iptables-save | iptables-restore-translate -f > /etc/nftables.conf

# Or convert inline
iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPT
# → nft add rule ip filter INPUT tcp dport 22 counter accept

ip6tables-translate -A INPUT -p tcp --dport 443 -j ACCEPT

# Create a table (inet = IPv4+IPv6) nft add table inet filter # Add a base chain (hook + priority) nft add chain inet filter input \ '{ type filter hook input priority 0; policy drop; }' nft add chain inet filter forward \ '{ type filter hook forward priority 0; policy drop; }' nft add chain inet filter output \ '{ type filter hook output priority 0; policy accept; }'

# Allow established/related traffic nft add rule inet filter input \ ct state established,related accept # Allow SSH nft add rule inet filter input \ tcp dport 22 accept # Allow HTTP + HTTPS nft add rule inet filter input \ tcp dport { 80, 443 } accept # Allow ICMP (ping) nft add rule inet filter input \ icmp type echo-request accept # Drop everything else (explicit) nft add rule inet filter input drop

# Delete a specific rule by handle nft list ruleset -a # find the handle number nft delete rule inet filter input handle 5 # Flush all rules in a chain nft flush chain inet filter input # Flush entire table nft flush table inet filter # Wipe everything nft flush ruleset

# Create NAT table nft add table ip nat nft add chain ip nat prerouting \ '{ type nat hook prerouting priority -100; }' nft add chain ip nat postrouting \ '{ type nat hook postrouting priority 100; }' # Masquerade outbound (SNAT) nft add rule ip nat postrouting \ oifname "eth0" masquerade # DNAT: forward port 8080 → internal host nft add rule ip nat prerouting \ tcp dport 8080 dnat to 192.168.1.10:80

# Named set of blocked IPs nft add set inet filter blocklist \ '{ type ipv4_addr; }' nft add element inet filter blocklist \ { 1.2.3.4, 5.6.7.8 } nft add rule inet filter input \ ip saddr @blocklist drop # Rate-limit new connections (SYN flood protection) nft add rule inet filter input \ tcp flags syn \ limit rate 100/second burst 200 packets accept

# iptables → nftables migration tool iptables-save | iptables-restore-translate -f > /etc/nftables.conf # Or convert inline iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPT # → nft add rule ip filter INPUT tcp dport 22 counter accept ip6tables-translate -A INPUT -p tcp --dport 443 -j ACCEPT