How do I use nftables in Linux?

To add new rules, you have to specify the corresponding table and the chain that you want to use. In the example below we will go through a simple rule change. In this scenario, we have an Ubuntu 22.04 (CIS) instance running an NGINX web server. NGINX is serving our website on port 443, and is also re-routing traffic from port 80 to port 443. We need to create a rule in nftables that allows ports 80 and 443 to be accepted.

Tables

Tables are the top-level containers within an nftables ruleset; they hold chains, sets, maps, flowtables, and stateful objects.

Use the following command to show/list our tables:

sudo nft list tables

## OUTPUT
table inet filter

We can see we have a table called inet filter.

Chains

As in iptables, with nftables you attach your rules to chains. Use the command below to determine what chains are available within the inet filter table.

sudo nft list table inet filter

## OUTPUT

table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		iif "lo" accept
		ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
		ip6 saddr ::1 counter packets 0 bytes 0 drop
		ip protocol tcp ct state established accept
		ip protocol udp ct state established accept
		ip protocol icmp ct state established accept
		tcp dport 22 accept
		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
		icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
		ip protocol igmp accept
}

	chain forward {
		type filter hook forward priority filter; policy drop;
	}

	chain output {
		type filter hook output priority filter; policy drop;
		ip protocol tcp ct state established,related,new accept
		ip protocol udp ct state established,related,new accept
		ip protocol icmp ct state established,related,new accept
	}
}

In the example output above, we can see we have three chains; input, forward and output.

input - sees incoming packets that are addressed to and have now been routed to the local system and processes running there.
forward - sees incoming packets that are not addressed to the local system.
output - sees packets that originated from processes in the local machine.

Adding Rules

In the example below, we’ll add two ACCEPT rules for 80 and 443 to the input chain of the inet filter table.

sudo nft add rule inet filter input tcp dport 443 accept
sudo nft add rule inet filter input tcp dport 80 accept
sudo nft list ruleset > /etc/nftables.rules

We should now be able to access our website being served on port 443.

To save the configuration permanently (the above commands only modify nftables temporarily), first review the configuration via the following command

sudo nft list ruleset

You should see new lines with the following text:

tcp dport 80 accept
tcp dport 443 accept

Additional Resources

https://wiki.nftables.org/wiki-nftables/index.php/Main_Page

Getting Started with nftables Firewall in Debian