How do I use nftables in Linux?
To add new rules, you have to specify the corresponding table and the chain that you want to use. In the example below we will go through a simple rule change. In this scenario, we have an Ubuntu 22.04 (CIS) instance running an NGINX web server. NGINX is serving our website on port 443, and is also re-routing traffic from port 80 to port 443. We need to create a rule in nftables that allows ports 80 and 443 to be accepted.
Tables
Tables are the top-level containers within an nftables ruleset; they hold chains, sets, maps, flowtables, and stateful objects.
Use the following command to show/list our tables:
sudo nft list tables
## OUTPUT
table inet filter
We can see we have a table called inet filter
.
Chains
As in iptables
, with nftables
you attach your rules to chains. Use the command below to determine what chains are available within the inet filter
table.
sudo nft list table inet filter
In the example output above, we can see we have three chains; input
, forward
and output
.
input - sees incoming packets that are addressed to and have now been routed to the local system and processes running there.
forward - sees incoming packets that are not addressed to the local system.
output - sees packets that originated from processes in the local machine.
Adding Rules
In the example below, we’ll add two ACCEPT
rules for 80 and 443 to the input
chain of the inet filter
table.
We should now be able to access our website being served on port 443.