Blog / nftables: A Deep Look at Linux Security

nftables: A Deep Look at Linux Security

by SW Team

Discover the importance of nftables in Linux network administration. Learn how these rules and commands provide effective firewall, control traffic and ensure security. Learn about key functions such as packet filtering, NAT, connection control and DDoS protection.



nftables is a packet filtering framework and network manipulation tool in the Linux kernel. It is a networking technology that provides a set of functions for filtering and manipulating network packets on a Linux system.

nftables replaces iptables, which has been the standard packet filtering framework in Linux for many years.

Some of the features of nftables include:


nftables is designed to be more efficient in terms of resource usage than iptables, which means that it can handle a higher volume of network traffic with less load on the system.

Improved syntax

nftables configuration syntax is more flexible and easier to understand than iptables, making it easier to create and maintain packet filtering rules.

Unification of tools

nftables unifies several network manipulation tools into a single interface, simplifying the administration and configuration of firewall and other network functions on Linux systems.

IPv4 and IPv6 support

nftables supports both IPv4 and IPv6, allowing you to filter and manipulate packets on networks using either protocol.

In summary, nftables is an advanced packet filtering and network manipulation technology in Linux that offers efficiency, flexibility, and improved syntax compared to iptables.

Main functions

The main functions of nftables include packet filtering, network address translation (NAT), load balancing, packet classification (QoS), etc.

Packet filtering

nftables allows you to define rules to filter network packets based on criteria such as IP addresses, ports, protocols, network interfaces and other characteristics. This allows you to control which packets can enter, exit or transit through the system.

Network Address Translation (NAT)

nftables can perform network address translation (NAT) to modify IP addresses and ports in network packets as they traverse the system. This is useful for implementing techniques such as static network address translation (SNAT and DNAT) or port translation (masquerading).

Load balancing

nftables can be used to implement load balancing in server networks, distributing incoming traffic among multiple backend servers. This improves the availability and scalability of network services by distributing the load evenly.

Packet logging

nftables allows you to log certain packets that match certain rules. This is useful for auditing, monitoring and network troubleshooting purposes, as it allows you to track traffic traversing the system and log important events.

Packet classification (QoS)

nftables supports packet classification to implement Quality of Service (QoS). This allows prioritizing certain types of traffic over others, ensuring adequate performance for critical applications on congested networks.

Packet Manipulation

nftables offers advanced packet manipulation capabilities, allowing specific fields of network packets to be modified as they traverse the system. This can include modification of IP addresses, ports, VLAN tags, and other packet fields.

Protection against DDoS attacks: Mitigating Threats

nftables, as a packet filtering and manipulation tool in Linux, can be used to mitigate distributed denial of service (DDoS) attacks in several ways:

Filtering by IP address

nftables can block or limit incoming traffic from suspicious IP addresses or those that are generating a high volume of requests. This can help mitigate packet flooding attacks (such as SYN flood attacks) by blocking malicious traffic at the initial stage.

Filtering by protocol and port

nftables can block traffic using certain protocols or specific ports, which can help mitigate attacks targeting specific services using those ports.

Connection limiting

nftables can impose limits on the number of simultaneous connections allowed from an IP address or to a specific service, which can help mitigate resource saturation attacks by limiting the number of connections that an attacker can establish.

Load balancing and traffic redirection

In some cases, nftables can be used to redirect incoming traffic across multiple servers or locations, which can help distribute the load and mitigate the impact of DDoS attacks.

Logging and monitoring

nftables can be configured to record detailed information about network traffic, which can aid in the detection and analysis of DDoS attacks. The logs can be used to identify malicious traffic patterns and adjust filtering rules accordingly.

It is important to note that the effectiveness of nftables in mitigating DDoS attacks is highly dependent on the specific configuration and the system's ability to process incoming traffic. In addition, in production environments, it is advisable to implement a comprehensive DDoS mitigation strategy that includes multiple layers of defense, including network-level solutions such as intrusion detection and prevention systems (IDS/IPS), dedicated DDoS mitigation services, and application-level security measures.

nftables in action: a practical example

A practical example of using nftables could be to configure a set of basic rules for a web server on a Linux system. Suppose we want to allow HTTP (port 80) and HTTPS (port 443) traffic, while blocking all other incoming traffic. In addition, we want to allow the server to be able to make outgoing requests through any port.

Here is an example of what the nftables configuration might look like for this case:

# Flush all existing rules and sets
sudo nft flush ruleset

# Define IP address sets to allow/deny full access
sudo nft add set ip filter_allowed_ips { type ipv4_addr\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\; }
sudo nft add set ip filter_denied_ips { type ipv4_addr\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\; }

# Add allowed and denied IP addresses to the corresponding sets.
sudo nft add element ip filter_allowed_ips { }
sudo nft add element ip filter_denied_ips { }

# Allow access from the allowed IP addresses
sudo nft add rule ip filter input ip saddr @filter_allowed_ips accept

# Deny access from denied IP addresses
sudo nft add rule ip filter input ip saddr @filter_denied_ips drop
# Allow incoming traffic on ports 80 (HTTP) and 443 (HTTPS)
sudo nft add rule ip filter input tcp dport { 80, 443 } accept

# Deny all other incoming traffic
sudo nft add rule ip filter input counter drop

# Allow outgoing traffic on all interfaces
sudo nft add rule ip filter output accept

In this example:

  • IP address sets are defined for allowed (filter_allowed_ips) and denied (filter_denied_ips) addresses.

  • Specific IP addresses are added to the set of allowed and denied addresses.

  • Incoming connections from allowed IP addresses are allowed and incoming connections from denied IP addresses are denied.

  • Inbound traffic is allowed on ports 80 and 443.

  • All other inbound traffic not accepted in the previous rule is denied.

  • Outgoing traffic is allowed on all interfaces.

This is a basic example and can be adapted according to the specific needs of the environment and the services running on the server. It is important to note that a firewall configuration must be carefully tuned to balance security and service accessibility.

FAQs (Frequently Asked Questions)

What is nftables?

nftables is a packet filtering framework and network manipulation tool in the Linux kernel. It provides a more modern and flexible way to filter and manipulate network packets compared to iptables.

What are the differences between nftables and iptables?

nftables replaces iptables as the default packet filtering framework in Linux. It offers a more flexible and user-friendly syntax, greater resource efficiency, and greater packet handling capabilities.

Why should I use nftables instead of iptables?

nftables offers several advantages over iptables, including a more intuitive syntax, better performance, and more advanced packet handling capabilities. In addition, nftables is the future approach to packet filtering in Linux, making it a more sustainable option in the long run.

How do I install and configure nftables on my Linux system?

The installation and configuration of nftables varies depending on the Linux distribution you are using. Generally, you can install the nftables package from your distribution's software repository and then configure the filtering rules according to your specific needs.

Can I migrate my iptables rules to nftables?

Yes, it is possible to migrate iptables rules to nftables. There are tools available, such as iptables-translate, that can help convert iptables rules to nftables compatible syntax. However, you may need to manually adjust some rules to take full advantage of nftables capabilities.

What are some advanced features of nftables?

nftables offers several advanced features, such as the ability to handle packets at the layer 2 (Ethernet) level, integration with the kernel's connection tracking system, support for multiple tables and chains, and the ability to define rules based on dynamic IP address sets.

How can I monitor network traffic with nftables?

nftables provides built-in capabilities to log packets that match certain rules. You can configure logging rules to capture information about incoming and outgoing network traffic, allowing you to perform detailed monitoring and analysis of network activity.

Are there any risks in using nftables?

As with any packet filtering tool, incorrectly configuring nftables could result in unintentional blocking of legitimate traffic or inadvertent exposure of services to the network. It is important to understand the filtering rules you are applying and perform thorough testing before deploying nftables in a production environment.