nftables Quickstart Guide

nftables provides firewall support and NAT. This quickstart guide outlines several useful commands and techniques to assist debugging nftables.

Enable and start nftables #

Recent versions of Debian have nftables installed by default.

If you need to install nftables:

# aptitude install nftables

To enable nftables at boot:

# systemctl enable nftables.service

List current ruleset #

# nft list ruleset

Delete all rules #

To stop nftables from filtering traffic, delete all the rules.

nft flush ruleset

Disable and stop nftables #

To disable nftables from starting:

# systemctl mask nftables.service

To uninstall nftables:

# aptitude purge nftables

Simple example for SSH and web #

This trivial example allows SSH, HTTP, HTTPS, and ICMP. It denys all other inbound traffic.

Edit /etc/nftables.conf.

sudo nano /etc/nftables.conf

Replace /etc/nftables.conf with the following rules.

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # accept any localhost traffic
        iif lo accept

        # accept traffic originated from us
        ct state established,related accept

        # drop invalid packets
        ct state invalid counter drop

        # accept ssh, http, and https
        tcp dport { 22, 80, 443 } accept

        # accept icmp
        ip protocol icmp accept

        # count and reject everything else
        counter reject with icmpx type admin-prohibited

    chain forward {
        type filter hook forward priority 0; policy drop;

    chain output {
        type filter hook output priority 0; policy accept;


More information #

See for more details.

Powered by BetterDocs

Privacy Preference Center