Firewall Configuration with nftables

Firewall Configuration with nftables

Firewalls are an essential part of network security, and nftables is a powerful tool for configuring them. In this article, we’ll explore how to configure nftables. We’ll cover everything from enabling the service to adding new rules and allowing common ports. This guide has everything you need to get started.

There is no shortage of firewall configuration guides online for Linux. But most of them use the older (albeit more widespread) iptables or the front-end firewalld that uses some other firewall software behind the scenes. I am using a Debian Linux server which comes with nftables installed by default. Rather than installing extra tools, I have had a great experience using this service supported by the official distribution.

Here is the very basic nftables configuration I have been successful with. It is located at /etc/nftables.conf. You can copy & paste this as your starting point.

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority filter;

                # Allow loopback (local connections)
                iifname lo accept

                # Allow established/related
                ct state established,related accept

                # Allow incoming pings
                ip protocol icmp limit rate 1/second accept

                # Allow SSH and HTTP
                tcp dport {ssh,http} accept

                # Drop everything else
        chain forward {
                type filter hook forward priority filter;

                # Disallow forwarding
        chain output {
                type filter hook output priority filter;

                # Allow all outgoing traffic

Notice how the rules disallow all incoming traffic except pings, SSH and HTTP. This hardens your server by locking down the network and only allowing the traffic necessary for your server to work properly.

Enable the nftables service so it starts when the machine starts.

sudo systemctl enable nftables

Start the nftables service now.

sudo systemctl start nftables

If the service is already running and you just want to apply changes you recently made to the configuration, just restart the service.

sudo systemctl restart nftables

Add a New Firewall Rule

Any time you want to allow traffic for a new service on a specific port, you must add a new firewall rule.

Edit the nftables configuration file located at /etc/nftables.conf

Find the line that looks like this:

tcp dport {ssh,http} accept

Add the new port into the comma-separated list inside curly braces. For example, if you want to add a rule that allows port 3306 (common for some database software), the line will look like this:

tcp dport {ssh,http,3306} accept

Note: some ports have aliases (like ssh and http) that nftables recognizes.

Restart nftables to apply the new rules.

sudo systemctl restart nftables

More Rules

Here are some common ports on which you may want to enable incoming traffic:

  • SSH, port 22, alias ssh

  • HTTP, port 80, alias http

  • HTTPS, port 443, alias https

  • MySQL/MariaDB, port 3306, alias mysql

Configuring a firewall can be a daunting task, but using this guide as a starting point, it doesn’t have to be. We’ve covered everything you need to know to get started with nftables. From enabling it to adding new rules and allowing common ports, you now have the knowledge to configure your firewall with confidence. So if nftables comes installed by default in your Linux distribution, why not give it a try before you decide to install additional tools? If you're like me, it may be all you need.

Cover photo by Don Kaveen on Unsplash.