If you want to keep your Linux computer safe from unwanted network traffic, using a firewall is a good idea. A firewall is like a bouncer at a party—it checks who’s trying to come in and decides who to let through and who to block. One tool you can use to do this on Linux is called nftables.
I use nftables to control which services are allowed on my server. It helps keep things quiet and secure. You don’t need to be an expert to use it, either. I’ll show you how to get started in a simple, step-by-step way.
What Is nftables?
nftables is a tool built into many modern Linux systems. It replaced older firewall tools like iptables and ip6tables.
Here’s what makes nftables helpful:
- It works with both IPv4 and IPv6 traffic
- It uses a single command-line tool called
nft - Its rules are easier to read and manage than older tools
When I first switched from iptables to nftables, it felt like going from a messy garage to a tidy toolbox. Everything just made more sense.
Why Use a Firewall?
A firewall controls traffic that goes in and out of your system. It can:
- Block hackers or bots trying to access your machine
- Only allow connections from trusted IP addresses
- Reduce the chance of getting malware or network attacks
Think of it like putting up a fence with a locked gate. Without one, your computer is wide open like a field with no fences.
Before We Begin
To follow along, you’ll need:
- A Linux system (Debian, Ubuntu, Fedora, etc.)
- Root or sudo access
- A terminal you’re comfortable using
You can test nftables safely on a virtual machine or home server before trying it on a production server. That’s what I did when I first started learning. Better safe than locked out.
Step 1: Is nftables Installed?
First, check if your system has nftables already:
sudo nft list ruleset
If it says something like “command not found,” then you need to install it:
On Debian/Ubuntu:
sudo apt install nftables
On CentOS/Fedora/RHEL:
sudo dnf install nftables
Once that’s done, start and enable the service:
sudo systemctl start nftables
sudo systemctl enable nftables
That tells Linux to start nftables now, and also after each reboot.
Step 2: Basic Rule Set
Now let’s set up a simple firewall ruleset. This will:
- Allow traffic on the loopback interface (your own computer talking to itself)
- Allow SSH (so you don’t lock yourself out)
- Drop everything else
Here’s a basic file we can create:
sudo nano /etc/nftables.conf
And paste this into it:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# Allow loopback
iif "lo" accept
# Allow established connections
ct state established,related accept
# Allow SSH
tcp dport 22 accept
# Drop everything else
drop
}
}
Let me explain:
flush rulesetclears any existing rulestable inet filtercreates a new ruleset that works for both IPv4 and IPv6chain inputhandles incoming trafficiif "lo"allows the loopback interface (that’s your own system)ct state established,relatedallows traffic for connections you already startedtcp dport 22allows incoming SSH on port 22dropblocks all other incoming traffic
Once saved, apply the rules:
sudo nft -f /etc/nftables.conf
Boom. You’ve just created a basic firewall.
Step 3: Check Your Rules
Want to see what rules are active? Run:
sudo nft list ruleset
You’ll see the whole configuration printed out. It’s a good way to double-check that your rules are active.
If you see your loopback rule, SSH rule, and a drop rule at the bottom—you’re good.
Step 4: Add More Rules
Let’s say you want to allow web traffic on ports 80 (HTTP) and 443 (HTTPS). You can edit the rules like this:
tcp dport {80, 443} accept
Now your firewall will allow people to visit your website. It’s that easy.
Step 5: Make Sure It Loads on Boot
Linux won’t remember your rules unless you tell it to. To make nftables rules load on boot:
sudo systemctl enable nftables
This way, the system will load your /etc/nftables.conf file each time it starts up.
I forgot this once and was confused why my firewall was gone after a reboot. Lesson learned.
Helpful Tips
Here are some things that helped me along the way:
- Use
nft list rulesetoften to check what’s going on - Start with simple rules and test each one
- Keep a backup of your config file before making changes
Messing up firewall rules can lock you out—especially on remote servers. Always test carefully.
Three Common Mistakes to Avoid
- Blocking SSH by accident – Always allow port 22 before dropping all other traffic
- Not saving your config – Changes vanish after reboot unless you use
/etc/nftables.conf - Using old iptables rules – nftables uses a different format. Mixing them can get messy
I’ve made all three mistakes. That’s how I know not to repeat them.
Three Good Habits When Using nftables
- Write down your changes before you make them
- Comment your rules so you remember what they do
- Test on a local machine before applying on a live server
Clear notes and small steps can save you big headaches.
Bonus: Block an IP
Want to block an annoying IP address? Easy. Add this rule:
ip saddr 192.0.2.123 drop
This blocks all traffic from 192.0.2.123. I used this once when a random bot kept trying to brute-force my server. That bot got the boot.
Comparison: nftables vs iptables
Here’s a quick side-by-side comparison:
| Feature | iptables | nftables |
|---|---|---|
| Syntax | Complex and long | Cleaner and shorter |
| IPv4/IPv6 | Separate rules | Unified rules |
| Performance | OK | Better |
| Learning curve | Steeper | Simpler |
If iptables feels like talking in code, nftables feels like texting a friend.
Final Thoughts
nftables is a great tool for controlling your network traffic. It helps you stay in charge of who gets in and who stays out.
You don’t need to be a Linux wizard to use it. Just take your time, make a backup, and test carefully. A good firewall is like a digital guard dog—silent, loyal, and ready to growl when it needs to.
Would you like to learn how to add logging or block entire countries next?
