/
How Do I Use nftables in Linux?

How Do I Use nftables in Linux?

Spinup virtual servers come with firewall tools like nftables preinstalled. This guide walks through checking your current configuration and adding rules to allow web traffic (ports 80 and 443).

Scenario

You have an Ubuntu (CIS) server running an NGINX web server. The server routes HTTP (port 80) traffic to HTTPS (port 443), and you need to allow both ports through the firewall.

Step 1: List Tables

Run the following command to see what nftables tables exist:

sudo nft list tables

You should see something like:

table inet filter

Step 2: Inspect Chains

List the chains in the inet filter table:

sudo nft list table inet filter

Example output:

table inet filter { chain input { type filter hook input priority filter; policy drop; iif "lo" accept ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop ip6 saddr ::1 counter packets 0 bytes 0 drop ip protocol tcp ct state established accept tcp dport 22 accept ... } chain forward { type filter hook forward priority filter; policy drop; } chain output { type filter hook output priority filter; policy drop; ... } }

input: traffic coming into the server
forward: traffic routed through the server
output: traffic originating from the server

Step 3: Add Firewall Rules

Allow traffic on ports 80 and 443:

sudo nft add rule inet filter input tcp dport 443 accept sudo nft add rule inet filter input tcp dport 80 accept

Step 4: Persist Your Rules

Save the current ruleset so it loads on reboot:

sudo nft list ruleset > /etc/nftables.rules

Resources

Need Help?

Email the Spinup team: spinup@yale.edu
Join us on Yale Slack: #spinup