Please enable JavaScript.
Coggle requires JavaScript to display documents.
Linux nftables (Enterprise Level), nftables (Enterprise Linux Firewall),…
Linux nftables (Enterprise Level)
Introduction
What is nftables
Modern Linux packet filtering framework
Replacement for iptables, ip6tables, arptables and ebtables
Uses a single unified rule engine
High performance
Atomic rule updates
Better scalability for enterprise environments
Why Enterprises Use nftables
High performance
Easier rule management
Unified IPv4 and IPv6 firewall
Cloud and virtual machine support
Container compatible
Lower memory usage
Faster rule lookup
Supports complex security policies
Enterprise Use Cases
Datacenter firewalls
Web servers
Database servers
Application servers
Kubernetes nodes
Docker hosts
Hypervisors
Cloud workloads
SIEM environments
Bastion hosts
VPN gateways
Load balancers
Architecture
Linux Kernel
Netfilter Framework
Connection Tracking
Packet Filtering Engine
User Space
nft command
nftables.conf
Systemd service
Packet Flow
Network Interface
Netfilter Hook
nftables Chain
Rules Evaluation
Accept
Drop
Reject
Queue
Continue
Components
Tables
Container for firewall rules Example
nftables
│
├── Table filter
│ ├── Chain
│ │ ├── Rule 1
│ │ ├── Rule 2
│ │ ├── Rule 3
│ │ ├── Rule 4
|── Table nat
│ ├── Chain
│ │ ├── Rule 1
│ │ ├── Rule 1
|
├── Table docker
│ ├── Chain
├── Table kube-proxy
│ ├── Chain
└── Table monitoring
Separate policy organization
Without Table every rule mixup
Types
inet
ip
ip6
arp
bridge
netdev
Enterprise Recommendation
Prefer inet table
Single firewall for IPv4 and IPv6
Chains
Collection of rule
Base Chain
Connected to kernel hooks
A Base Chain is directly connected to the Linux kernel networking stack through a hook.
Regular Chain
Called from another chain
A Regular Chain is not connected to any kernel hook
Rules
Match conditions
Action
Logging
Counters
Rate limiting
Rule
Rule
Condion Match
Match Condition
Match Conditions (What packet to match?)
ip saddr 192.168.1.10
Source IP == 192.168.1.10
ip daddr 8.8.8
Destination == 8.8.8.88
ip protocol tcp
Only TCP packets
tcp sport 443
Source Port = 443
tcp dport 22
Destination Port = SSH
Incoming interface
iif "eth0"
Outgoing interface
oif "eth1"
Connection State (conntrack)
Very common in enterprise firewalls.
ct state established
Possible states
new
established
related
invalid
untracked
Example
ct state established,related
MAC Address
ether saddr AA:BB:CC:DD:EE:FF
Packet Size
meta length > 1000
Example Rule
tcp dport 22 ip saddr 192.168.1.100
Meaning
IF
TCP
AND
Destination Port = 22
AND
Source IP = 192.168.1.100
THEN
(rule action executes)
Action (What to do?)
After a packet matches, nftables performs an action (verdict).
Accept
Advantages
Reduces CPU usage
Stops unnecessary rule evaluation
Fast processing
Enterprise Example
nft add rule inet filter input ip saddr 192.168.10.0/24 tcp dport 22 accept
Allow SSH from Management Network only
Commands
nft add rule inet filter input udp dport 53 accept
nft add rule inet filter input tcp dport 443 accept
nft add rule inet filter input tcp dport 22 accept
Enterprise Uses
Allow Backup traffic
Allow Monitoring
Allow DNS
Allow SSH
Allow HTTPS
Packet Flow
Packet reaches application or next networking stage
Rule processing stops
Accept verdict issued
Packet matches rule
Definition
Packet continues through the networking stack.
Firewall stops checking further rules in the current chain.
Accept immediately allows the packet.
Drop
Definition
Drop silently discards the packet.
No notification is sent to the sender.
Sender believes packet was lost.
Packet Flow
Packet matches rule
Packet deleted
Sender receives nothing
Enterprise Uses
Internet scanning
DDoS mitigation
Bot traffic
Malware traffic
Brute force attacks
Commands
nft add rule inet filter input ip saddr 10.10.10.5 drop
nft add rule inet filter input tcp dport 23 drop
Advantages
Hides server existence
Slows attackers
Prevents reconnaissance
Disadvantages
Legitimate users receive no response
Troubleshooting becomes harder
Reject
Definition
Reject blocks the packet but also sends an error response to the sender.
Sender immediately knows communication failed.
Error Types
ICMP Destination Unreachable
ICMP Host Prohibited
TCP Reset
Packet Flow
Packet arrives
Rule matches
Reject response generated
Sender receives notification
Enterprise Uses
Internal corporate firewalls
Troubleshooting
Development environments
User friendly firewall policies
Commands
nft add rule inet filter input tcp dport 23 reject
nft add rule inet filter input reject with icmp type admin-prohibited
nft add rule inet filter input reject with tcp reset
Advantages
Faster client response
Easier troubleshooting
Disadvantages
Reveals server existence
Jump
Definition
Jump transfers packet processing to another chain.
After that chain finishes, processing returns to the original chain.
Similar to calling a function in programming.
Packet Flow
Current Chain
1 more item...
Enterprise Uses
Modular firewall design
Reusable rule sets
Separate management rules
Separate web rules
Separate database rules
Commands
nft add chain inet filter ssh_rules
nft add rule inet filter input jump ssh_rules
nft add rule inet filter ssh_rules tcp dport 22 accept
Advantages
Cleaner firewall
Easier maintenance
Better readability
Goto
Definition
Goto transfers processing permanently to another chain.
Processing never returns to the original chain.
Packet Flow
Current Chain
1 more item...
Difference from Jump
Jump returns
Goto never returns
Enterprise Uses
Policy routing
Permanent branch selection
Large firewall architectures
Commands
nft add chain inet filter web_policy
nft add rule inet filter input goto web_policy
Advantages
Simplifies policy routing
Efficient for large firewalls
Return
Definition
Return exits the current chain.
If the chain was entered by Jump, processing resumes after the Jump rule.
If the chain is a Base Chain, the chain policy is applied.
Packet Flow
Jump
2 more items...
Enterprise Uses
End reusable chain
Exit policy modules
Modular firewall management
Commands
nft add rule inet filter ssh_rules return
Difference
Jump uses Return
Goto ignores Return
Queue
Definition
Queue sends packets from kernel space to userspace.
A userspace application decides the packet's fate.
Related Technologies
NFQUEUE
Suricata
Snort
IPS
Antivirus
Deep Packet Inspection
AI Security Engines
Packet Flow
Packet arrives
nftables Queue
Userspace Application
Application Analysis
Verdict Returned
3 more items...
Enterprise Uses
Intrusion Prevention Systems
Malware detection
Deep Packet Inspection
AI traffic inspection
Compliance inspection
Commands
nft add rule inet filter input queue
nft add rule inet filter input queue num 5
Advantages
Advanced inspection
Application intelligence
Flexible security
Disadvantages
Higher CPU usage
Increased latency
Userspace dependency
Verdict Comparison
Continue
Keeps checking next rule
Rule processing continues
Accept
Allows packet immediately
Stops current chain processing
Drop
Silently discards packet
Sender receives no response
Reject
Blocks packet
Sends error response
Jump
Moves temporarily to another chain
Returns to original chain
Goto
Moves permanently to another chain
Never returns
Return
Leaves current chain
Returns to caller or applies base chain policy
Queue
Sends packet to userspace
External application decides final action
Enterprise Firewall Design Example
Table
inet filter
Base Chains
input
forward
output
User Chains
management_rules
web_rules
database_rules
monitoring_rules
logging_rules
vpn_rules
ids_queue
Packet Processing
Input Chain
10 more items...
Enterprise Best Practices
Default policy should be Drop
Accept only required services
Use Jump for modular configuration
Use Return to exit reusable chains
Use Goto only for permanent policy transitions
Use Queue only with IDS or IPS solutions
Log before Drop when investigating incidents
Use Connection Tracking before service rules
Keep firewall rules organized by function
Test firewall rules in staging before production
Backup rules before making changes
Monitor nftables counters regularly
Integrate nftables logs with SIEM platforms
Logging (Record packet information)
Definition
Logging means recording information about packets that match a firewall rule.
The packet is NOT stored.
Only information (metadata) about the packet is written to a log.
Logging helps administrators understand what traffic is entering, leaving, or being blocked by the firewall.
Logging is mainly used for
Security Monitoring
Troubleshooting
Compliance
Auditing
Incident Response
Forensics
Network Analysis
Purpose of Logging
Detect intrusion attempts
Monitor suspicious activities
Identify misconfigured applications
Debug firewall rules
Verify security policies
Maintain audit records
Meet compliance requirements
PCI-DSS
ISO 27001
HIPAA
SOC 2
NIST
Logging Workflow
Packet Arrives
Firewall receives packet.
Rule Matching
nftables checks every rule.
Packet Matches Rule
Logging action is triggered.
Kernel Generates Log
Linux Kernel creates log message.
Enterprise Uses
Security Operations Center (SOC)
Detect attacks
Investigate incidents
Monitor threats
Blue Team
Identify malicious traffic
Verify firewall effectiveness
nftables Logging Action
log
Records packet information.
Example
log
Log with Prefix
log prefix "SSH Attempt "
Log with Severity
log level warning
Log with Flags
log flags all
Log with Packet Snapshot
log snaplen 128
Log with Queue Threshold
log queue-threshold 10
Important Logging Parameters
prefix
Adds custom text.
Makes searching easier.
level
Kernel log severity.
emergency
System unusable
alert
Immediate action required
critical
Critical condition
error
Error condition
warning
Warning message
notice
Normal but significant event
info
Informational message
debug
Debugging information
flags
tcp sequence
tcp options
ip options
skuid
ether
all
snaplen
Number of bytes captured from packet.
queue-threshold
Number of packets before flushing logs.
Enterprise Logging Examples
Log Every SSH Attempt
tcp dport 22 log prefix "SSH Connection "
Log Blocked Packets
ip protocol tcp log prefix "Blocked TCP "
Log ICMP
icmp type echo-request log prefix "Ping "
Log Invalid Packets
ct state invalid log prefix "Invalid Packet "
Logging with Verdict
Log and Accept
tcp dport 443 log prefix "HTTPS " accept
Log and Drop
tcp dport 23 log prefix "Blocked Telnet " drop
Log and Reject
tcp dport 25 log prefix "Rejected SMTP " reject
Logging Connection Tracking
New Connection
ct state new log prefix "NEW Connection "
Established Connection
ct state established log prefix "ESTABLISHED "
Invalid Connection
ct state invalid log prefix "INVALID "
Related Connection
ct state related log prefix "RELATED "
Logging Rate Limiting
Purpose
Prevent log flooding.
Reduce disk usage.
Protect CPU resources.
Example
limit rate 10/second log
Example
limit rate 5/minute log
Where Logs Are Stored
systemd Journal
Command
journalctl
View Kernel Logs
journalctl -k
Live Monitoring
journalctl -kf
rsyslog
Configuration Directory
/etc/rsyslog.conf
/etc/rsyslog.d/
Common Log Files
/var/log/messages
/var/log/syslog
/var/log/kern.log
/var/log/firewalld
syslog-ng
Configuration
/etc/syslog-ng/
nftables Configuration Files
Main Configuration
/etc/nftables.conf
Additional Rule Files
/etc/nftables/
Runtime Rules
nft list ruleset
Useful Commands
Display Rules
nft list ruleset
Display Table
nft list table inet filter
Display Chain
nft list chain inet filter input
Show Counters
nft list ruleset
Monitor Rules
nft monitor
Monitor Trace
nft monitor trace
View Kernel Logs
journalctl -k
Follow Kernel Logs
journalctl -kf
Search SSH Logs
journalctl | grep SSH
Search nftables Logs
journalctl | grep nft
Search Firewall Logs
grep DROP /var/log/messages
Search Kernel Logs
grep nft /var/log/kern.log
Counters (Count packets and bytes)
Counters (Count Packets and Bytes) in nftables (Enterprise Level)
What are Counters?
Definition
Counter is a built-in nftables feature that records how much network traffic matches a firewall rule.
Every time a packet matches a rule, the counter increases automatically.
Counters do not affect traffic.
Counters only collect statistics.
Purpose
Monitor firewall activity.
Verify firewall rules are working.
Detect attacks.
Troubleshoot network problems.
Capacity planning.
Security auditing.
Compliance reporting.
Performance monitoring.
Difference Between Filtering and Counting
Filtering
Decides whether to accept, drop, reject, or continue processing packets.
Counter
Only records how many packets and bytes matched the rule.
Does not allow or block traffic.
Basic Concepts
Packet
A packet is the smallest unit of data transmitted over a network.
Every email, website request, SSH connection, video stream, or file transfer is broken into packets.
Byte
A byte is a unit of data consisting of eight bits.
Packet counters count the number of packets.
Byte counters count the total amount of transferred data.
Packet Counter
Counts how many packets matched a rule.
Byte Counter
Counts the total size of all matched packets.
Rule Match
Counter increases only when a packet matches all rule conditions.
Counter Value
Packet Count
Number of matching packets.
Byte Count
Total bytes of matching packets.
Why Enterprises Use Counters
Security Monitoring
Detect SSH brute-force attacks.
Detect port scanning.
Detect denial-of-service attacks.
Detect abnormal traffic.
Firewall Validation
Verify whether firewall rules are actually being used.
Find unused firewall rules.
Optimize firewall policies.
Capacity Planning
Identify heavily used services.
Measure application traffic.
Plan bandwidth upgrades.
Compliance
Generate firewall audit reports.
Demonstrate firewall policy enforcement.
Support security audits.
Troubleshooting
Verify whether traffic reaches the firewall.
Confirm whether packets match expected rules.
Diagnose application connectivity issues.
Where Counters Exist
Kernel Space
nftables counters exist inside the Linux kernel.
Kernel updates counters for every matching packet.
Userspace
nft command reads counter values from the kernel.
Configuration File
/etc/nftables.conf
Permanent firewall configuration.
May include counter keyword.
Runtime Configuration
Active rules stored inside kernel memory.
nftables Architecture
Kernel
Packet Processing Engine
Receives packets.
Evaluates firewall rules.
Updates counters.
Netfilter Framework
Provides packet filtering infrastructure.
nftables
Firewall framework using Netfilter.
nft Command
User interface to manage firewall rules.
Packet Processing Flow
Network Packet Arrives
↓
Netfilter Hook
↓
nftables Table
↓
Chain
↓
Rule Matching
↓
Counter Updated
Packet Counter +1
Byte Counter +Packet Size
↓
Rule Action
Accept
Drop
Reject
Continue
Counter Lifecycle
Rule Created
Counter starts at zero packets.
Counter starts at zero bytes.
Packet Matches Rule
Packet count increases.
Byte count increases.
More Traffic Arrives
Counter values continue increasing.
Rule Deleted
Counter values are lost.
System Reboot
Runtime counters reset.
Rules reload from configuration.
Counters begin again unless external monitoring stores statistics.
Counter Syntax
Basic Counter
counter
Counter Before Action
tcp destination port 22 counter accept
Counter With Drop
tcp destination port 23 counter drop
Example Rules
Count SSH Traffic
nft add rule inet filter input tcp dport 22 counter accept
Count HTTP Traffic
nft add rule inet filter input tcp dport 80 counter accept
Count HTTPS Traffic
nft add rule inet filter input tcp dport 443 counter accept
Count DNS Queries
nft add rule inet filter input udp dport 53 counter accept
Count ICMP
nft add rule inet filter input icmp type echo-request counter accept
Count Dropped Packets
nft add rule inet filter input ip protocol tcp counter drop
Viewing Counters
Show Entire Ruleset
nft list ruleset
Show Specific Table
nft list table inet filter
Show Specific Chain
nft list chain inet filter input
Display Handles
nft --handle list ruleset
Numeric Output
nft list ruleset -n
Detailed Statistics
nft list ruleset -a
Example Output
tcp dport 22 counter packets 250 bytes 18500 accept
tcp
Protocol
dport
Destination Port
22
SSH Service
counter
Enable statistics
packets
Number of matching packets
250
Packet count
bytes
Total transferred bytes
18500
Byte count
accept
Firewall action
Understanding Packet Counter
One SSH Packet
Packets
1
Ten SSH Packets
Packets
10
One Thousand SSH Packets
Packets
1000
Understanding Byte Counter
Packet Size
100 Bytes
Counter increases by 100
500 Bytes
Counter increases by 500
1500 Bytes
Counter increases by 1500
Example
Packet 1
100 Bytes
Packet 2
500 Bytes
Packet 3
1000 Bytes
Packet Counter
3
Byte Counter
1600
Enterprise Monitoring Examples
SSH Server
Count administrator logins.
Detect brute-force attacks.
Identify peak login times.
Web Server
Count HTTP traffic.
Count HTTPS traffic.
Measure web usage.
DNS Server
Count DNS requests.
Detect DNS flooding.
Mail Server
Count SMTP traffic.
Count IMAP traffic.
Count POP3 traffic.
Database Server
Count MySQL traffic.
Count PostgreSQL traffic.
Security Analysis
Port Scan Detection
Unexpected packet increases.
Multiple destination ports.
Brute Force Detection
High SSH packet count.
Repeated login attempts.
Denial-of-Service Detection
Extremely high packet counts.
Rapid byte growth.
Malware Detection
Unexpected outbound traffic.
Unknown destination ports.
Performance Analysis
Traffic Volume
Total packets.
Total bytes.
Service Popularity
Most used services.
Bandwidth Usage
Bytes transferred.
Peak Usage Hours
Monitor counter growth over time.
Counter Reset
Delete Rule
Removes counter.
Flush Rules
Removes all counters.
nft flush ruleset
Reload Rules
Counters restart from zero.
systemctl restart nftables
Logging vs Counters
Counter
Counts packets.
Counts bytes.
Very low overhead.
No packet details.
Log
Records packet information.
Source address.
Destination address.
Protocol.
Timestamp.
Higher resource usage.
Counters with Logging
Rule
nft add rule inet filter input tcp dport 22 counter log prefix "SSH " accept
Packet Flow
Packet arrives.
Counter increases.
Log entry written.
Packet accepted.
Counters with Rate Limiting
Rule
nft add rule inet filter input tcp dport 22 limit rate 10/minute counter accept
Flow
Rate limit evaluated.
Matching packets counted.
Accepted packets processed.
Counters with Connection Tracking
New Connections
nft add rule inet filter input ct state new counter accept
Established Connections
nft add rule inet filter input ct state established counter accept
Invalid Connections
nft add rule inet filter input ct state invalid counter drop
Enterprise Reporting
Daily Firewall Reports
Packet totals.
Byte totals.
Top services.
Dropped traffic.
Weekly Reports
Traffic growth.
Security events.
Capacity planning.
Monthly Reports
Firewall utilization.
Service usage.
Security trends.
Best Practices
Add counters to important firewall rules.
Monitor SSH traffic.
Monitor HTTP and HTTPS traffic.
Monitor DNS traffic.
Monitor dropped packets.
Monitor invalid connections.
Review counters regularly.
Remove unused firewall rules.
Export statistics to monitoring platforms.
Integrate with
Prometheus
Grafana
Zabbix
Elastic Stack
Splunk
SIEM platforms
Enterprise File Locations
Main Configuration
/etc/nftables.conf
Systemd Service
/usr/lib/systemd/system/nftables.service
Runtime Rules
Linux Kernel Memory
Kernel Interface
Netfilter Framework
Command Binary
/usr/sbin/nft
Manual Page
man nft
Service Management
systemctl status nftables
systemctl start nftables
systemctl stop nftables
systemctl restart nftables
systemctl enable nftables
Useful Commands
Check nftables Version
nft --version
List Complete Ruleset
nft list ruleset
List Tables
nft list tables
List Chains
nft list chains
List Specific Table
nft list table inet filter
List Specific Chain
nft list chain inet filter input
Show Rule Handles
nft --handle list ruleset
Add Counter Rule
nft add rule inet filter input tcp dport 22 counter accept
Delete Rule by Handle
nft delete rule inet filter input handle 15
Save Configuration
nft list ruleset > /etc/nftables.conf
Reload Configuration
nft -f /etc/nftables.conf
Check Service Status
systemctl status nftables
Interview Questions
What is a counter in nftables?
What is the difference between packets and bytes?
Does a counter affect packet filtering?
Where are counters stored?
How do you display counter values?
How do you reset counters?
How do counters help during troubleshooting?
Why are counters important for enterprise firewall monitoring?
Difference between logging and counters?
How are counters used with connection tracking?
How can counters help detect attacks?
Which enterprise monitoring tools collect nftables counter statistics?
Rate Limiting (Limit packet processing)
Rate Limiting (Limit Packet Processing)
Purpose
Controls how many packets or connections are processed within a specific time period.
Prevents a single host or application from overwhelming the firewall or server.
Protects against network abuse, floods, brute-force attacks, and denial-of-service attacks.
Reduces unnecessary CPU, memory, and network resource consumption.
Allows legitimate traffic while restricting excessive traffic.
Commonly used in enterprise firewalls, web servers, VPN gateways, SSH servers, DNS servers, mail servers, and APIs.
Enterprise Definition
Rate limiting is a firewall mechanism that measures the arrival rate of packets, connections, or events and applies an action only when the traffic rate matches the configured threshold.
Why Rate Limiting is Required
Prevent SSH brute-force attacks.
Reduce SYN flood attacks.
Protect public web servers.
Prevent excessive ICMP (Ping) traffic.
Prevent log flooding.
Protect DNS servers from amplification attacks.
Prevent API abuse.
Improve firewall performance.
Reduce CPU utilization.
Protect backend applications.
Improve network stability.
If traffic exceeds limit
Rule no longer matches.
Packet may be dropped.
Packet may be rejected.
Packet may be ignored.
Packet may be logged.
Packet may match another rule.
Internal Components
Packet Counter
Counts packets.
Time Window
Defines measurement interval.
Token Bucket Algorithm
Controls packet allowance.
Burst Bucket
Stores temporary extra tokens.
Packet Timer
Calculates refill timing.
Rule Matcher
Compares current packet rate with configured rule.
Verdict Engine
Accept
Drop
Reject
Log
Continue
Token Bucket Algorithm
Enterprise Standard Algorithm
Used by nftables.
Used by Linux Traffic Control.
Used by routers.
Used by switches.
Used by cloud firewalls.
Concept
Imagine a bucket.
Bucket contains tokens.
Every arriving packet consumes one token.
Tokens are continuously added over time.
If token exists
Packet allowed.
If bucket becomes empty
Packet exceeds configured rate.
Rule stops matching.
Components
Bucket
Stores available tokens.
Token
Permission to process one packet.
Refill Rate
Number of new tokens added each second.
Bucket Capacity
Maximum number of stored tokens.
Burst
Temporary allowance above normal rate.
Example
Bucket Size
1 more item...
Refill Rate
1 more item...
nftables Rate Limit Syntax
Basic Syntax
limit rate 10/second
General Structure
limit
1 more item...
rate
1 more item...
Number
1 more item...
Time Unit
4 more items...
Time Units
second
Highest precision.
minute
Medium precision.
hour
Long-term rate limiting.
day
Rarely used.
Examples
10 packets every second
limit rate 10/second
100 packets every minute
limit rate 100/minute
500 packets every hour
limit rate 500/hour
1000 packets every day
limit rate 1000/day
Burst
Purpose
Allows temporary spikes without blocking legitimate users.
Example
limit rate 20/second burst 40 packets
Meaning
Normal Rate
1 more item...
Temporary Burst
1 more item...
Afterwards
1 more item...
Without Burst
Every spike immediately limited.
With Burst
Small traffic spikes accepted.
Enterprise Usage
Web servers.
APIs.
VPN gateways.
DNS servers.
Packet-Based Limiting
Syntax
limit rate 50/second
Measures
Packet count.
Suitable For
SSH.
DNS.
ICMP.
HTTP.
HTTPS.
Byte-Based Limiting
Syntax
limit rate 5 mbytes/second
Measures
Traffic volume.
Suitable For
Large file transfers.
Streaming.
Backup traffic.
Connection Rate Limiting
Purpose
Controls new connection creation.
Example
ct state new limit rate 30/minute
Meaning
Only new connections counted.
Existing connections unaffected.
Enterprise Use
SSH servers.
VPN concentrators.
Web applications.
Connection Tracking Integration
ct state new
Rate limit only new sessions.
ct state established
Existing connections continue normally.
ct state related
Related packets continue.
ct state invalid
Usually dropped immediately.
ICMP Rate Limiting
Purpose
Prevent Ping Flood attacks.
Rule
icmp type echo-request limit rate 5/second accept
Meaning
Only five ping requests each second accepted.
SSH Brute Force Protection
Rule
tcp dport 22 ct state new limit rate 3/minute accept
Meaning
Only three new SSH login attempts per minute allowed.
HTTP Protection
Rule
tcp dport 80 limit rate 500/second accept
Protects
Web servers.
APIs.
Reverse proxies.
DNS Protection
Rule
udp dport 53 limit rate 200/second accept
Prevents
DNS floods.
DNS amplification.
Logging Rate Limiting
Problem
Massive attacks generate millions of log entries.
Solution
log limit rate 5/second
Benefits
Smaller log files.
Lower disk usage.
Better performance.
Easier analysis.
Combined Rule Example
tcp dport 22
ct state new
limit rate 3/minute
log
accept
Processing Order
Packet arrives.
TCP destination port checked.
Connection state checked.
Rate checked.
Packet logged.
Packet accepted.
Enterprise Deployment Locations
Internet Edge Firewall
Protect external services.
DMZ Firewall
Protect public-facing servers.
Internal Firewall
Limit internal abuse.
Kubernetes Nodes
Protect workloads.
Containers
Protect containerized applications.
Cloud Firewalls
AWS.
Azure.
Google Cloud.
VPN Gateways
Protect remote access.
Load Balancers
Prevent overload.
Configuration Files
Main nftables Configuration
/etc/nftables.conf
Additional Rule Files
/etc/nftables/
Runtime Rules
Kernel Memory
Service
nftables.service
Useful Commands
Check nftables Service
systemctl status nftables
Start Service
systemctl start nftables
Stop Service
systemctl stop nftables
Restart Service
systemctl restart nftables
Enable at Boot
systemctl enable nftables
Disable at Boot
systemctl disable nftables
List Complete Ruleset
nft list ruleset
List Specific Table
nft list table inet filter
List Chain
nft list chain inet filter input
Validate Configuration
nft -c -f /etc/nftables.conf
Load Configuration
nft -f /etc/nftables.conf
Save Rules
nft list ruleset > /etc/nftables.conf
Monitor Rule Activity
nft monitor
View Counters
nft list ruleset
Example Enterprise Rules
SSH Protection
tcp dport 22 ct state new limit rate 3/minute accept
HTTP Protection
tcp dport 80 limit rate 500/second accept
HTTPS Protection
tcp dport 443 limit rate 1000/second accept
DNS Protection
udp dport 53 limit rate 200/second accept
Ping Protection
icmp type echo-request limit rate 5/second accept
Log Protection
log limit rate 10/second
Advantages
Protects against brute-force attacks.
Mitigates denial-of-service attacks.
Reduces CPU utilization.
Prevents excessive logging.
Improves server availability.
Allows controlled traffic bursts.
Protects enterprise applications.
Improves firewall efficiency.
Maintains network stability.
Supports high-availability environments.
Limitations
Not a complete DDoS protection solution.
Cannot inspect application-layer behavior.
Must be tuned according to network traffic.
Excessively low limits may block legitimate users.
Requires connection tracking for connection-based rules.
Large burst values reduce effectiveness.
Enterprise Best Practices
Use connection tracking with rate limiting.
Apply limits only to new connections where possible.
Use burst values for legitimate traffic spikes.
Rate-limit logging separately.
Protect public-facing services first.
Monitor counters regularly.
Validate configuration before applying.
Save tested rules permanently.
Test under production-like traffic.
Document every rate limit policy.
Review limits periodically based on traffic patterns.
Combine with sets, maps, counters, logging, connection tracking, ingress filtering, IDS/IPS, reverse proxies, and DDoS protection for layered enterprise security.
Sets
Sets
Definition
A Set is a collection of values stored once and referenced by firewall rules.
Instead of creating hundreds or thousands of individual firewall rules, nftables stores values in a high-performance lookup table.
The firewall checks whether a packet's value exists in the set instead of comparing against every rule.
Sets improve firewall performance, simplify administration, and reduce CPU usage.
Primarily used for
Source IP addresses
Destination IP addresses
Network prefixes (CIDR)
TCP ports
UDP ports
MAC addresses
Interface names
User IDs
Group IDs
Protocol numbers
Connection tracking states
Time values
Marks
Interface indexes
Concatenated fields (IP + Port)
Enterprise Purpose
Reduce number of firewall rules
Improve packet processing speed
Simplify firewall management
Enable dynamic updates without reloading entire firewall
Centralize IP management
Support threat intelligence integration
Allow automation tools to update firewall entries
Improve scalability for large environments
Why Sets Exist
Without Sets
Every IP requires its own firewall rule
Large rule lists
Slower packet matching
Higher CPU utilization
Difficult maintenance
Increased memory usage
With Sets
One firewall rule references one set
Thousands of IPs stored inside the set
Kernel performs fast lookup
Smaller ruleset
Easier management
Better scalability
Packet Processing
Packet arrives
Kernel receives packet
nftables chain is evaluated
Rule references a set
Kernel performs lookup inside the set
Match found
Execute rule action
Match not found
Continue evaluating remaining rules
Fast Lookup
Definition
Fast lookup means nftables does not compare packets against every firewall rule.
Instead, the kernel performs an optimized search inside the set.
Traditional Rule Matching
Rule 1
Compare
Rule 2
Compare
Rule 3
Compare
Hundreds of comparisons
Thousands of comparisons
Set Lookup
Packet arrives
Search directly inside set
Match immediately
Execute action
Kernel Implementation
Hash tables
Red-black trees
Interval trees
Optimized kernel data structures
Advantages
Constant or logarithmic lookup time
Lower latency
Reduced CPU utilization
Faster packet processing
Suitable for very large rule databases
Replace Multiple Rules
Traditional Firewall
Rule
Allow 192.168.1.10
Rule
Allow 192.168.1.20
Rule
Allow 192.168.1.30
Hundreds of similar rules
nftables Set
Store all IPs in one set
Create one firewall rule
Rule references the set
Benefits
Smaller configuration
Easier maintenance
Faster processing
Simpler automation
Lower chance of configuration errors
Enterprise Example
Thousands of branch offices
Thousands of VPN clients
Thousands of application servers
Single firewall rule references all authorized addresses
Set Types
IPv4 Address
type ipv4_addr
IPv6 Address
type ipv6_addr
Ethernet MAC Address
type ether_addr
TCP Service Port
type inet_service
Interface Name
type ifname
Integer
type integer
UID
type uid
GID
type gid
Mark
type mark
Combination Sets
IP + Port
IP + Interface
IP + Protocol
Creating Sets
Create Table
Command
nft add table inet firewall
Create Set
Command
nft add set inet firewall trusted_hosts { type ipv4_addr; }
Add Elements
Command
nft add element inet firewall trusted_hosts { 192.168.1.10, 192.168.1.20, 192.168.1.30 }
Display Set
Command
nft list set inet firewall trusted_hosts
Delete Element
Command
nft delete element inet firewall trusted_hosts { 192.168.1.20 }
Destroy Set
Command
nft delete set inet firewall trusted_hosts
Anonymous Sets
Definition
Temporary set created directly inside a rule
Not reusable
Example
nft add rule inet firewall input ip saddr { 192.168.1.10, 192.168.1.20 } accept
Characteristics
Exists only in that rule
Good for small configurations
Named Sets
Definition
Permanent reusable set
Advantages
Reusable
Easier updates
Better enterprise management
Automation friendly
Dynamic Sets
Definition
Entries added or removed while firewall is running
Enterprise Usage
Automatic blocking
IDS integration
IPS integration
Threat intelligence
Fail2Ban
CrowdSec
Security automation
Interval Sets
Definition
Store ranges instead of individual values
Example
192.168.1.0/24
10.0.0.0/8
Benefits
Smaller memory usage
Faster lookup
Timeout Sets
Definition
Entries expire automatically
Example
Temporary attacker blocking
Temporary VPN access
Dynamic quarantine
Example Command
nft add set inet firewall blocked { type ipv4_addr; timeout 1h; }
IP Whitelist
Definition
List of trusted IP addresses
Only listed systems are allowed access
Enterprise Usage
SSH administration
Database access
VPN gateways
Backup servers
Monitoring servers
Management network
Workflow
Packet arrives
Source IP checked
Exists in whitelist
Permit connection
Not found
Deny connection
Example Commands
nft add set inet firewall whitelist { type ipv4_addr; }
nft add element inet firewall whitelist { 192.168.1.10,192.168.1.11 }
nft add rule inet firewall input ip saddr
whitelist
accept
Advantages
Strong security
Least privilege
Controlled access
Reduced attack surface
IP Blacklist
Definition
List of blocked IP addresses
Enterprise Usage
Known attackers
Brute-force sources
Malware hosts
Spam servers
Compromised systems
Workflow
Packet arrives
Source IP checked
Exists in blacklist
Drop packet immediately
Not found
Continue evaluation
Example Commands
nft add set inet firewall blacklist { type ipv4_addr; }
nft add element inet firewall blacklist { 203.0.113.50 }
nft add rule inet firewall input ip saddr
blacklist
drop
Advantages
Immediate blocking
Easy updates
Dynamic automation
Lower processing cost
Country Blocking
Definition
Blocking traffic originating from selected countries.
How It Works
IP address
GeoIP database
Country mapping
Firewall imports country IP ranges
Sets contain network ranges
Packets from matching ranges are blocked
Data Sources
MaxMind GeoLite2
IP2Location
DB-IP
Commercial GeoIP databases
Enterprise Use Cases
Regulatory compliance
Reduce attack surface
Block regions with no legitimate business
Fraud prevention
Reduce unwanted traffic
Workflow
GeoIP database generates country IP ranges
Automation script updates nftables sets
Firewall checks source network
Matching country
Drop packet
Other countries
Continue processing
Limitations
VPN usage
Proxy servers
Cloud providers
Shared hosting
GeoIP database accuracy
Threat Intelligence Feeds
Definition
Continuously updated lists of malicious IP addresses, domains, and networks.
Purpose
Automatically block known malicious infrastructure.
Sources
AbuseIPDB
Spamhaus
AlienVault Open Threat Exchange
Emerging Threats
Cisco Talos Intelligence
Proofpoint ET Intelligence
IBM X-Force Exchange
Open Source Intelligence feeds
Feed Contents
Botnet servers
Malware command and control servers
Phishing infrastructure
Spam sources
Exploit servers
Ransomware infrastructure
Tor exit nodes
Scanning systems
Enterprise Workflow
Threat feed downloaded
Parser processes feed
IP addresses extracted
nftables set updated
Firewall immediately blocks malicious sources
Automation
Cron jobs
systemd timers
Python automation
Bash scripts
Ansible playbooks
Security Orchestration Automation and Response platforms
Benefits
Near real-time protection
Reduced manual work
Faster incident response
Improved security posture
Continuous updates
Enterprise Automation
Configuration Management
Ansible
Puppet
Chef
SaltStack
SIEM Integration
Wazuh
Elastic Security
Splunk Enterprise Security
IBM QRadar
Microsoft Sentinel
IDS Integration
Suricata
Snort
Zeek
IPS Integration
Suricata IPS
Hardware firewalls
Linux security gateways
Endpoint Integration
CrowdSec
Fail2Ban
Endpoint Detection and Response platforms
Configuration Files
Main Configuration
/etc/nftables.conf
Include Directory
/etc/nftables/
Runtime Rules
Stored inside kernel memory
Service
nftables.service
Useful Commands
Check Version
nft --version
List Entire Ruleset
nft list ruleset
List Tables
nft list tables
List Chains
nft list chains
List Sets
nft list sets
Display Specific Set
nft list set inet firewall whitelist
Flush Set
nft flush set inet firewall whitelist
Delete Set
nft delete set inet firewall whitelist
Save Rules
nft list ruleset > /etc/nftables.conf
Load Rules
nft -f /etc/nftables.conf
Validate Configuration
nft -c -f /etc/nftables.conf
Enable Service
systemctl enable nftables
Start Service
systemctl start nftables
Restart Service
systemctl restart nftables
Check Service Status
systemctl status nftables
Enterprise Best Practices
Use named sets instead of hundreds of rules
Separate whitelist and blacklist sets
Use timeout sets for temporary blocking
Automate updates using Ansible
Integrate threat intelligence feeds
Regularly validate configuration before deployment
Keep GeoIP databases updated
Monitor firewall counters
Log blocked traffic for analysis
Store configuration in version control
Test changes in staging before production
Apply Principle of Least Privilege
Review whitelist entries periodically
Remove obsolete blacklist entries
Document all firewall changes
Maps
Maps
Definition
Special nftables data structure
Performs key → value lookups
Similar to a dictionary (hash table) or database lookup
Replaces long lists of matching rules
Makes firewall rules smaller, faster, and easier to maintain
Available inside an nftables table
Can be referenced by one or more firewall rules
Purpose
Convert one value into another
Perform dynamic translations
Reduce duplicate firewall rules
Improve packet processing efficiency
Simplify firewall administration
Centralize policy management
Improve firewall scalability
Support enterprise automation
Why Maps Exist
Without Maps
One rule required for every IP
One rule required for every port
One rule required for every network
Firewall becomes large
Rules become difficult to maintain
Rule evaluation takes longer
With Maps
Single rule
Multiple mappings
Easier updates
Faster lookup
Better readability
Centralized configuration
Internal Working
Packet arrives
nftables extracts packet field
Source IP
Destination IP
Source Port
Destination Port
Protocol
Interface
Mark
User ID
Group ID
Field becomes lookup key
Kernel searches map
Matching value returned
Rule uses returned value
Action performed
Accept
Drop
Reject
Jump
Redirect
NAT
Set packet mark
Set connection mark
Set DSCP
Set Priority
Continue processing
Key Value Lookup
Definition
Search operation
One key returns one value
Key
Search item
Unique identifier
Common Keys
IPv4 Address
IPv6 Address
TCP Port
UDP Port
Protocol
Interface Name
VLAN ID
User ID
Group ID
Packet Mark
Connection Mark
MAC Address
Values
Verdict
IP Address
Port Number
Integer
String
Packet Mark
DSCP Value
Connection Mark
Queue Number
Routing Decision
Lookup Process
Receive packet
Read packet field
Compare with map keys
Find matching key
Return mapped value
Execute action
Dynamic Translation
Definition
Translate one value into another
No long chain of if-else rules
Translation performed instantly
Examples
IP Address
Internal IP
External IP
Port Translation
External Port
Internal Port
Interface Translation
Incoming Interface
Security Zone
Protocol Translation
Protocol Number
Firewall Action
User Translation
Linux User
Security Policy
Department Translation
VLAN
Department Name
Enterprise Use Cases
Datacenter Firewalls
Multi-Tenant Environments
Cloud Infrastructure
Kubernetes Nodes
OpenStack Networks
VMware Networks
Hypervisors
ISP Edge Routers
Telecom Infrastructure
Financial Institutions
Banking Networks
Government Networks
SOC Infrastructure
SIEM Sensor Networks
Load Balancers
Reverse Proxies
High Availability Clusters
Enterprise Examples
IP Address Classification
Development Network
Production Network
Testing Network
Management Network
Backup Network
DMZ
Guest Network
Port Classification
HTTP
HTTPS
SSH
DNS
SMTP
LDAP
MySQL
PostgreSQL
Kubernetes API
Prometheus
Grafana
Interface Classification
LAN
WAN
VPN
Internet
DMZ
Storage Network
Backup Network
Packet Classification
Trusted
Untrusted
Critical
Monitoring
Logging
Backup
Replication
Map Syntax
General Structure
map
name
type
elements
Basic Syntax
nft add map inet firewall service_map { type inet_service : verdict; }
Explanation
inet
Address family
Supports IPv4 and IPv6
firewall
Table name
service_map
Map name
type
Defines key type and value type
inet_service
TCP or UDP port number
verdict
Firewall action
Common Map Types
IPv4 Address Map
type ipv4_addr : verdict
IPv6 Address Map
type ipv6_addr : verdict
Port Map
type inet_service : verdict
Protocol Map
type inet_proto : verdict
Interface Map
type ifname : verdict
Integer Map
type integer : verdict
Mark Map
type mark : verdict
UID Map
type uid : verdict
GID Map
type gid : verdict
Creating Maps
Create Table
nft add table inet firewall
Create Chain
nft add chain inet firewall input { type filter hook input priority 0 \; policy drop \; }
Create Map
nft add map inet firewall service_map { type inet_service : verdict; }
Display Map
nft list map inet firewall service_map
Adding Elements
HTTP and HTTPS
nft add element inet firewall service_map { 80 : accept, 443 : accept }
SSH
nft add element inet firewall service_map { 22 : accept }
SMTP
nft add element inet firewall service_map { 25 : accept }
Reject Telnet
nft add element inet firewall service_map { 23 : drop }
Using Map Inside Rule
nft add rule inet firewall input tcp dport vmap
service_map
Packet Flow
Packet enters input chain
Read TCP destination port
Lookup destination port inside service_map
Retrieve verdict
Apply verdict immediately
IP Address Mapping
Create Map
nft add map inet firewall trusted_hosts { type ipv4_addr : verdict; }
Add Elements
nft add element inet firewall trusted_hosts { 192.168.1.10 : accept, 192.168.1.20 : accept }
Use
nft add rule inet firewall input ip saddr vmap
trusted_hosts
NAT Translation Example
Create Map
nft add map ip nat port_forward { type inet_service : ipv4_addr; }
Add Translation
nft add element ip nat port_forward { 8080 : 192.168.1.100 }
Purpose
Translate external service
Forward traffic internally
Packet Mark Translation
Create Map
nft add map inet firewall mark_map { type inet_service : mark; }
Add Elements
nft add element inet firewall mark_map { 22 : 1, 80 : 2, 443 : 3 }
Apply
nft add rule inet firewall input meta mark set tcp dport map
mark_map
Interface Translation
Create Map
nft add map inet firewall interface_zone { type ifname : mark; }
Add Elements
nft add element inet firewall interface_zone { "eth0" : 1, "eth1" : 2 }
Purpose
Convert interface into security zone
Simplify policy decisions
Kubernetes Example
NodePort
ClusterIP
Ingress
Service Ports
Pod Networks
Overlay Networks
Dynamic Service Translation
Cloud Example
AWS Security Gateway
Azure Virtual Network
Google Cloud VPC
Dynamic Workload Classification
Performance Advantages
Constant-time lookup
No sequential rule scanning
Reduced CPU utilization
Lower packet latency
Better throughput
Fewer firewall rules
Better scalability
Optimized kernel memory usage
Administration Benefits
Easy maintenance
Single location for mappings
Simple automation
Better readability
Easy troubleshooting
Easy updates
Reduced configuration errors
Faster policy deployment
Monitoring
Show Entire Ruleset
nft list ruleset
Show Tables
nft list tables
Show Maps
nft list maps
Show Specific Map
nft list map inet firewall service_map
Show Chain
nft list chain inet firewall input
Configuration Files
Main Configuration
/etc/nftables.conf
Include Directory
/etc/nftables/
Systemd Service
/usr/lib/systemd/system/nftables.service
Runtime Binary
/usr/sbin/nft
Manual Page
man nft
Best Practices
Use maps instead of hundreds of repetitive rules
Separate maps by business function
Use descriptive map names
Store production configuration in /etc/nftables.conf
Maintain backup copies before changes
Test configuration using nft -c -f /etc/nftables.conf
Use version control such as Git
Combine maps with sets for maximum efficiency
Monitor rule counters regularly
Document every map with its business purpose
Follow least privilege principles
Use automation tools such as Ansible for enterprise deployment
Validate configuration before production rollout
Minimize duplicate mappings
Regularly audit unused map entries
Interview Questions
What is a map in nftables
Difference between a map and a set
How does key-value lookup improve firewall performance
What is dynamic translation
What key types can maps use
What value types can maps return
How are maps used with verdicts
How do maps reduce firewall complexity
Where are nftables configurations stored
How do you display a specific map
How do you validate an nftables configuration before applying it
Why are maps preferred in enterprise environments
Flowtables
Flowtables
Overview
Definition
Flowtables are a high-performance packet forwarding feature in nftables.
They allow established network connections to bypass most of the normal firewall rule processing.
Instead of evaluating every packet against every firewall rule, the Linux kernel stores the connection in a special flow table.
Future packets belonging to the same connection are forwarded directly using the stored information.
Purpose
Reduce CPU usage
Increase packet forwarding speed
Improve network throughput
Lower packet processing latency
Scale firewall performance for enterprise environments
Introduced
Linux Kernel 5.1 and later
Managed By
nftables
Kernel Subsystem
Netfilter
Works With
Connection Tracking (conntrack)
Network Interface Drivers
Linux Routing Subsystem
Why Flowtables Exist
Traditional Packet Processing
Every incoming packet
Enters kernel networking stack
Passes Netfilter hooks
Traverses nftables chains
Evaluates every matching rule
Checks conntrack state
Makes routing decision
Leaves interface
Problem
CPU repeats same rule matching for every packet.
Millions of packets consume significant CPU resources.
High latency under heavy load.
Flowtable Processing
First packet
Normal firewall inspection
Conntrack creates connection entry
Routing decision calculated
Security policies enforced
Flow added into flowtable
Remaining packets
Direct lookup in flowtable
Skip most firewall rule evaluation
Skip repeated routing calculations
Forward immediately
Result
Higher throughput
Lower latency
Lower CPU utilization
Flowtable Architecture
Packet Arrival
NIC receives packet
Linux Kernel receives interrupt
Packet enters Netfilter
First Packet
Prerouting Hook
Connection Tracking
nftables Rules
Routing Decision
Flowtable Entry Creation
Established Packets
Packet arrives
Flowtable lookup
Match existing flow
Direct forwarding
Exit interface
Components
Network Interface
Netfilter Framework
nftables
Conntrack Database
Flowtable
Routing Table
Network Driver
Flowtable Entry
Information Stored
Source IP Address
Destination IP Address
Source Port
Destination Port
Layer 4 Protocol
Input Interface
Output Interface
Connection State
MAC Addresses
Next Hop Information
Timeout
Purpose
Avoid recalculating routing
Avoid repeated firewall rule matching
Speed packet forwarding
Connection Tracking Dependency
Requirement
Flowtables require conntrack.
Why
Conntrack identifies packets belonging to an existing connection.
Only established flows are eligible.
Connection States
New
First packet
Normal nftables inspection
Established
Eligible for flowtable
Related
Can also benefit
Invalid
Never accelerated
View Connections
conntrack -L
cat /proc/net/nf_conntrack
Hardware Acceleration
Definition
Hardware acceleration allows supported Network Interface Cards (NICs) to process forwarding operations instead of the CPU.
Purpose
Reduce CPU workload
Increase forwarding capacity
Improve packet rate
Software Processing
CPU processes packets
Linux kernel forwards traffic
Hardware Offload
NIC performs forwarding
CPU involvement greatly reduced
Requirements
NIC must support hardware offload.
Linux driver must support hardware flowtable offloading.
Kernel support required.
Enterprise NIC Vendors
Intel
Mellanox (NVIDIA)
Broadcom
Marvell
Chelsio
Benefits
Multi-Gigabit forwarding
Lower power consumption
Reduced CPU interrupts
Better scalability
Verify NIC Features
ethtool -k eth0
ethtool --show-features eth0
Enable Hardware Offload
ethtool -K eth0 hw-tc-offload on
Check Driver
ethtool -i eth0
Driver Location
/lib/modules/$(uname -r)/kernel/drivers/net/
High Speed Forwarding
Definition
High-speed forwarding means packets travel through the system with minimal processing delay.
Traditional Path
NIC
Netfilter
nftables chains
Routing
Output
Accelerated Path
NIC
Flowtable Lookup
Output
Benefits
Lower latency
Higher throughput
Fewer CPU cycles
Higher packets per second
Enterprise Use Cases
Internet gateways
Firewalls
Edge routers
Data center switches
Cloud networking
Kubernetes clusters
Hypervisors
Virtual routers
Enterprise Routers
Definition
Enterprise routers connect multiple networks and route traffic efficiently while enforcing security policies.
Role of Flowtables
Accelerate forwarding between interfaces.
Reduce routing overhead.
Maintain firewall security.
Example
Internet
↓
Router
↓
Firewall
↓
Internal Network
Flow
First packet inspected
Flow stored
Remaining packets accelerated
Enterprise Vendors
Cisco
Juniper
Arista
MikroTik
Dell
HPE
Linux-based routers
Linux Router Platforms
Debian
Ubuntu Server
Red Hat Enterprise Linux
Rocky Linux
AlmaLinux
Data Centers
Definition
A data center is a facility containing servers, networking equipment, storage, virtualization platforms, and security devices.
Importance of Flowtables
Handle millions of packets efficiently.
Support large east-west traffic.
Improve VM communication.
Accelerate container networking.
Common Workloads
Web servers
Database servers
Virtual machines
Kubernetes
OpenStack
Storage clusters
Load balancers
Benefits
Higher bandwidth
Lower CPU utilization
Better scalability
Lower response times
Reduced hardware costs
Flowtable Configuration
Create Table
nft add table inet firewall
Create Flowtable
nft add flowtable inet firewall ft "{ hook ingress priority 0; devices = { eth0, eth1 }; }"
Add Forward Chain
nft add chain inet firewall forward "{ type filter hook forward priority filter; policy accept; }"
Enable Flow Offload
nft add rule inet firewall forward ct state established,related flow add
ft
View Configuration
nft list ruleset
Delete Flowtable
nft delete flowtable inet firewall ft
Configuration File
Main Configuration
/etc/nftables.conf
Systemd Service
/usr/lib/systemd/system/nftables.service
Runtime Information
/proc/net/nf_conntrack
Kernel Parameters
/proc/sys/net/netfilter/
Module Information
/sys/module/
Network Interfaces
/sys/class/net/
Monitoring
Show Rules
nft list ruleset
Monitor Changes
nft monitor
Display Counters
nft list counters
Check Connections
conntrack -L
Statistics
nstat
ip -s link
ss -s
Performance Monitoring
top
htop
vmstat
sar
perf
Packet Processing Comparison
Without Flowtable
Packet arrives
Netfilter hooks
Conntrack lookup
Rule matching
Routing lookup
Forward packet
Repeat for every packet
With Flowtable
First packet inspected
Flow stored
Future packets
Flowtable lookup
Direct forwarding
Reduced CPU processing
Enterprise Advantages
High throughput
Reduced latency
Lower CPU utilization
Increased packets per second
Better scalability
Efficient firewall performance
Faster routing
Improved virtualization performance
Better cloud networking
Reduced operational costs
Enterprise Limitations
Requires conntrack.
Only established connections are accelerated.
Some packet modifications bypass acceleration.
Not every NIC supports hardware offload.
Driver support varies.
Hardware compatibility must be verified.
Software updates may change offload capabilities.
Security Considerations
First packet always inspected.
Firewall policies still enforced before acceleration.
Invalid packets are not accelerated.
Logging typically occurs before flow offload.
Connection tracking maintains session awareness.
Security monitoring should account for accelerated flows.
Best Practices
Use modern Linux kernels.
Keep nftables updated.
Use enterprise-grade NICs.
Verify hardware offload support.
Test flowtables before production deployment.
Monitor conntrack table usage.
Tune conntrack limits.
Enable logging for new connections.
Monitor CPU utilization regularly.
Benchmark throughput before and after enabling flowtables.
Document firewall architecture.
Regularly audit firewall policies.
Netfilter Hooks
Ingress
Before routing
Early packet filtering
Prerouting
Before routing decision
Input
Traffic to local server
Forward
Routed traffic
Output
Traffic generated locally
Postrouting
Before leaving interface
Chain Types
Filter
Allow
Deny
Logging
NAT
Source NAT
Destination NAT
Port Forwarding
Route
Packet modification before routing
Priorities
Higher priority
Processed first
Lower priority
Processed later
Enterprise Example
Early packet validation
Connection tracking
NAT
Filtering
Families
inet
IPv4 and IPv6 together
ip
IPv4 only
ip6
IPv6 only
arp
ARP packets
bridge
Layer 2 firewall
netdev
Interface level filtering
Packet Matching
Source IP
Destination IP
Source Port
Destination Port
Protocol
Interface
MAC Address
TCP Flags
ICMP
Connection State
Packet Length
Time
User ID
Group ID
Mark
Actions
Accept
Allow traffic
Drop
Silent discard
Reject
Send error response
Log
Record packet
Counter
Count packets
Jump
Move to another chain
Goto
Permanent transfer
Return
Return to previous chain
Queue
Send to userspace
Continue
Continue processing
Connection Tracking
New
Established
Related
Invalid
Untracked
Enterprise Rules
Allow Established
Allow Related
Drop Invalid
NAT
SNAT
Private to public
DNAT
Public to private
Masquerade
Dynamic public IP
Port Forwarding
External to internal server
Logging
Packet Logging
Prefix
Log Level
Audit
SIEM Integration
Syslog
Journalctl
Wazuh
Elastic Stack
Security Features
Default Deny Policy
Least Privilege
Anti Spoofing
Rate Limiting
Blacklists
Whitelists
Geo Blocking
ICMP Protection
SYN Flood Protection
DDoS Mitigation
Port Scan Detection
Bogon Filtering
Enterprise Firewall Design
Internet
Edge Firewall
DMZ
Reverse Proxy
Web Server
Load Balancer
Internal Firewall
Application Servers
Database Servers
File Servers
Monitoring Servers
Backup Servers
Domain Controllers
SIEM
East West Traffic Filtering
Server to server inspection
North South Traffic Filtering
Internet to internal network
Micro Segmentation
Department isolation
Production isolation
Development isolation
High Availability
Active Active
Active Passive
Keepalived
VRRP
Shared Firewall Policy
Performance Optimization
Sets
Maps
Flowtables
Rule Ordering
Early Drop
Interface Matching
Connection Tracking
Hardware Offloading
Enterprise Rule Strategy
Default Drop
Allow Loopback
Allow Established
Allow SSH
Allow HTTPS
Allow DNS
Allow Monitoring
Allow Backup
Allow SIEM
Allow VPN
Log Suspicious Traffic
Drop Remaining Traffic
Configuration Files
Main File
/etc/nftables.conf
Backup
nft list ruleset
Restore
nft -f file.conf
Important Commands
Check Version
nft --version
Show Rules
nft list ruleset
Show Tables
nft list tables
Show Chains
nft list chains
List Specific Table
nft list table inet firewall
Create Table
nft add table inet firewall
Delete Table
nft delete table inet firewall
Create Chain
nft add chain inet firewall input { type filter hook input priority 0 ; policy drop ; }
Add Rule
nft add rule inet firewall input tcp dport 22 accept
Delete Rule
nft delete rule inet firewall input handle NUMBER
Flush Rules
nft flush ruleset
Save Configuration
nft list ruleset > /etc/nftables.conf
Load Configuration
nft -f /etc/nftables.conf
Validate Configuration
nft -c -f /etc/nftables.conf
Monitor Changes
nft monitor
nftables (Enterprise Linux Firewall)
Introduction
What is nftables
Modern Linux packet filtering framework
Replacement for iptables, ip6tables, arptables and ebtables
Uses a single unified framework
Works through Netfilter in Linux Kernel
Default firewall backend in modern Linux distributions
Advantages
Faster than iptables
Unified IPv4 and IPv6 rules
Better performance
Atomic rule updates
Reduced rule duplication
Easier rule management
Supports sets and maps
Better scalability
Lower memory usage
Enterprise ready
Architecture
Linux Kernel
Netfilter Framework
Packet Processing Engine
User Space
nft command
nftables.conf
Systemd Service
Configuration
Tables
Chains
Rules
Sets
Maps
Flowtables
Packet Flow
Incoming Packet
Network Interface
Prerouting
Input
Local Process
Outgoing Packet
Local Process
Output
Postrouting
Network Interface
Forwarded Packet
Prerouting
Forward
Postrouting
Packet Hooks
Prerouting
Before Routing Decision
DNAT
Input
Packets for Local Machine
Forward
Packets Passing Through Server
Output
Locally Generated Traffic
Postrouting
Before Leaving Interface
SNAT
Masquerade
Families
inet
IPv4 and IPv6 together
Enterprise Recommendation
ip
IPv4 only
ip6
IPv6 only
bridge
Layer 2 filtering
arp
ARP packets
netdev
Interface ingress filtering
Tables
Purpose
Logical container
Groups firewall rules
Example
filter
nat
security
raw
Commands
nft add table inet filter
nft list tables
nft delete table inet filter
Chains
Purpose
Collection of firewall rules
Types
Base Chain
Connected to Netfilter Hook
Regular Chain
Jump target
Hooks
input
output
forward
prerouting
postrouting
Policies
accept
drop
Commands
nft add chain inet filter input { type filter hook input priority 0 policy drop; }
Rules
Purpose
Decide packet action
Actions
accept
drop
reject
log
jump
goto
return
counter
masquerade
snat
dnat
Default Enterprise Firewall
Create Table
nft add table inet filter
Create Input Chain
nft add chain inet filter input { type filter hook input priority 0 policy drop; }
Create Forward Chain
nft add chain inet filter forward { type filter hook forward priority 0 policy drop; }
Create Output Chain
nft add chain inet filter output { type filter hook output priority 0 policy accept; }
Allow Loopback
Purpose
Internal system communication
Command
nft add rule inet filter input iif lo accept
Allow Established Connections
Purpose
Return traffic
Command
nft add rule inet filter input ct state established,related accept
Allow SSH
Command
nft add rule inet filter input tcp dport 22 accept
Allow HTTP
Command
nft add rule inet filter input tcp dport 80 accept
Allow HTTPS
Command
nft add rule inet filter input tcp dport 443 accept
Allow ICMP
Purpose
Ping
MTU Discovery
Network Troubleshooting
Command
nft add rule inet filter input ip protocol icmp accept
Block Everything Else
Policy
drop
Connection Tracking
States
new
established
related
invalid
Commands
nft add rule inet filter input ct state established,related accept
nft add rule inet filter input ct state invalid drop
Logging
Purpose
SOC Monitoring
SIEM Integration
Command
nft add rule inet filter input log prefix "DROP " drop
Counters
Purpose
Packet statistics
Command
nft add rule inet filter input counter accept
Sets
Purpose
Multiple IPs
Better performance
Create Set
nft add set inet filter blacklist { type ipv4_addr; }
Add IP
nft add element inet filter blacklist { 192.168.1.100 }
Rule
nft add rule inet filter input ip saddr
blacklist
drop
Port Sets
Example
SSH
HTTP
HTTPS
Rule
nft add set inet filter allowed_ports { type inet_service; }
nft add element inet filter allowed_ports { 22,80,443 }
nft add rule inet filter input tcp dport
allowed_ports
accept
NAT
SNAT
Internal to Internet
DNAT
Port Forwarding
Masquerade
Dynamic IP Gateway
Commands
nft add table ip nat
nft add chain ip nat postrouting { type nat hook postrouting priority 100; }
nft add rule ip nat postrouting oif eth0 masquerade
Port Forwarding
Example
Internet Port 80
Internal Server 192.168.1.10
Command
nft add chain ip nat prerouting { type nat hook prerouting priority -100; }
nft add rule ip nat prerouting tcp dport 80 dnat to 192.168.1.10
Enterprise Web Server
Allow
SSH
HTTP
HTTPS
Drop
Everything else
Logging
Failed Connections
Connection Tracking
Enabled
Enterprise Database Server
Allow
MySQL 3306
PostgreSQL 5432
Only Application Server IP
Block
Public Access
Enterprise Bastion Host
Allow
SSH only
Restrict
Source IP
Log
Every Login Attempt
Enterprise Gateway
Enable
Forward Chain
NAT
Masquerade
Logging
Internet Traffic
Persistence
Save Rules
nft list ruleset > /etc/nftables.conf
Load Rules
nft -f /etc/nftables.conf
Enable Service
systemctl enable nftables
systemctl start nftables
Verify
systemctl status nftables
Verification
List Rules
nft list ruleset
List Table
nft list table inet filter
List Chain
nft list chain inet filter input
Show Counters
nft list ruleset
Testing
Ping
SSH
Curl
Nmap
Tcpdump
Journalctl
Troubleshooting
Check Syntax
nft -c -f /etc/nftables.conf
Show Rules
nft list ruleset
Check Service
systemctl status nftables
View Logs
journalctl -u nftables
Monitor Packets
tcpdump
Verify Listening Ports
ss -tulnp
Security Best Practices
Default Drop Policy
Least Privilege
Allow Only Required Ports
Restrict Source IP
Use Sets
Enable Logging
Enable Counters
Backup Configuration
Version Control
Periodic Firewall Audit
Monitor Logs
Integrate With SIEM
Enterprise Architecture
Internet
Edge Firewall
Reverse Proxy
Load Balancer
DMZ
Web Servers
WAF
Internal Network
Application Servers
Database Servers
Management Network
SSH
Monitoring
Backup
SOC
Wazuh
SIEM
Syslog
Enterprise Deployment Steps
Install nftables
Enable Service
Create Tables
Create Chains
Set Default Policies
Allow Loopback
Allow Established Connections
Allow Required Services
Configure NAT
Configure Logging
Configure Sets
Save Rules
Enable Boot Persistence
Test Connectivity
Perform Security Validation
Deploy Through Automation
Ansible
Puppet
Chef
Interview Questions
What is nftables
Difference between nftables and iptables
What are Tables
What are Chains
What are Hooks
What is Connection Tracking
Difference between Accept Drop Reject
Difference between SNAT DNAT Masquerade
What are Sets
What are Maps
What is Flowtable
Why use inet family
How to make rules persistent
How to troubleshoot nftables
How to implement nftables on 1000 Linux servers
How to secure SSH using nftables
How to integrate nftables with SIEM
NFTABLES ENTERPRISE IMPLEMENTATION IN LINUX
NFTABLES ENTERPRISE IMPLEMENTATION IN LINUX
Enterprise Commands
Flush Rules
nft flush ruleset
Create Table
nft add table inet filter
Create Input Chain
nft add chain inet filter input type filter hook input priority 0 policy drop
Create Forward Chain
nft add chain inet filter forward type filter hook forward priority 0 policy drop
Create Output Chain
nft add chain inet filter output type filter hook output priority 0 policy accept
Allow Loopback
nft add rule inet filter input iif lo accept
Allow Established
nft add rule inet filter input ct state established related accept
Allow SSH
nft add rule inet filter input tcp dport 22 accept
Allow HTTP
nft add rule inet filter input tcp dport 80 accept
Allow HTTPS
nft add rule inet filter input tcp dport 443 accept
Allow ICMP
nft add rule inet filter input ip protocol icmp accept
Save Rules
nft list ruleset
Delete Rule
nft delete rule
Delete Chain
nft delete chain
Delete Table
nft delete table
Enterprise Rule Design
Default Deny
Least Privilege
Allow Required Services Only
Block Unused Ports
Stateful Firewall
Logging Enabled
Document Every Rule
Rule Review
Change Management
Backup Configuration
Stateful Firewall
Connection Tracking
New
Established
Related
Invalid
Enterprise Rule
Accept Established Related
Drop Invalid
Sets
Purpose
Manage Multiple IPs Efficiently
Enterprise Usage
Trusted Administrators
Office Networks
VPN Networks
Branch Offices
Block Lists
Maps
Purpose
Efficient Port Mapping
Enterprise Usage
Service Routing
Multi Port Policy
NAT
SNAT
Outgoing Translation
DNAT
Incoming Translation
Masquerade
Dynamic Public IP
Logging
Log Accepted Traffic
Log Dropped Packets
SIEM Integration
Wazuh
Elastic
Splunk
QRadar
Security Hardening
Drop Invalid Packets
Anti Spoofing
Block Bogon Networks
Limit ICMP
Rate Limit SSH
Block Port Scans
Disable Unused Services
Allow Management Network Only
Enterprise Server Profiles
Web Server
SSH
HTTP
HTTPS
Database Server
MySQL
PostgreSQL
Internal Access Only
DNS Server
UDP 53
TCP 53
Mail Server
SMTP
IMAPS
POP3S
Bastion Host
SSH Only
SIEM Server
Syslog
Beats
Wazuh Agent
High Availability
Keepalived
VRRP
Cluster Firewall
Shared Configuration
Configuration Synchronization
Automation
Ansible
Puppet
Chef
SaltStack
Git Version Control
CI CD Deployment
Monitoring
Journalctl
Systemctl Status
nft monitor trace
nft monitor
Audit Logs
SIEM Alerts
Troubleshooting
nft list ruleset
nft list tables
nft list chains
nft list rules
nft monitor trace
ss -tulnp
ip addr
ip route
tcpdump
journalctl -u nftables
Performance Optimization
Use Sets
Avoid Duplicate Rules
Use inet Family
Minimize Rule Count
Hardware Offloading
Flowtables
Disaster Recovery
Backup Rules
Restore Rules
Configuration Versioning
Rollback Strategy
Change Approval
Best Practices
Default Drop Policy
Allow Only Business Traffic
Least Privilege
Use Stateful Inspection
Separate Management Network
Regular Rule Audits
Log Critical Events
Test Before Production
Document Changes
Backup Before Modification
Use Configuration Management
Interview Preparation
What is nftables
Difference Between nftables and iptables
What is Netfilter
Explain Packet Flow
Explain Table Family
Explain Chain
Explain Hook
Difference Between Accept Drop Reject
What is Stateful Firewall
What is Connection Tracking
Explain NAT
Explain SNAT
Explain DNAT
Explain Masquerade
Explain Sets
Explain Maps
Explain Flowtables
Explain inet Table
Why Default Drop Policy
Why Allow Established Related
How to Backup Rules
How to Restore Rules
How to Troubleshoot nftables
Enterprise Deployment Steps
How to Secure SSH
How to Integrate with SIEM
How to Implement Change Management
Enterprise Implementation Checklist
Install nftables
Enable Service
Backup Existing Configuration
Create Tables
Create Chains
Configure Default Policies
Allow Loopback
Allow Established Related
Allow Required Services
Configure NAT
Configure Logging
Test Connectivity
Run Security Scan
Save Configuration
Integrate SIEM
Monitor Logs
Backup Rules
Document Configuration
Review Periodically
Enterprise Implementation Steps
Enterprise Linux nftables Implementation
Overview
Purpose
Host Based Firewall
Stateful Packet Filtering
High Performance
Kernel Integrated
IPv4 IPv6 Support
nftables Modern replacement for iptables
Objective
Default Deny Security Model
Allow Only Required Services
Log Unauthorized Access
Protect Enterprise Servers
Enterprise Use Cases
Web Servers
Application Servers
Database Servers
File Servers
DNS Servers
SIEM Servers
Bastion Hosts
Pre Implementation Planning
Identify Server Role
Web Server
Database Server
Application Server
Mail Server
Monitoring Server
Identify Required Services
SSH
HTTP
HTTPS
DNS
NTP
SMTP
Database Ports
Identify Trusted Networks
Management Network
Production Network
Backup Network
Monitoring Network
Perform Risk Assessment
Required Ports
Blocked Ports
Remote Access
Application Dependencies
Step 1 Install nftables
Purpose
Install firewall framework
Command
sudo dnf install nftables
sudo apt install nftables
Interview
nftables replaces iptables as the modern Linux packet filtering framework.
nftables
tables
chain
Rules
Step 2 Enable Service
Purpose
Start firewall automatically after reboot.
Commands
sudo systemctl enable nftables
sudo systemctl start nftables
sudo systemctl status nftables
Verify
systemctl is-active nftables
Interview
Always enable the service before deploying production rules.
Step 3 Backup Existing Rules
Purpose
Prevent configuration loss.
Allow rollback.
Commands
sudo nft list ruleset
sudo nft list ruleset > /root/nft-backup.conf
Enterprise Practice
Take backup before every firewall modification.
Store backup in version control.
Interview
Never modify firewall rules without a rollback plan.
Step 4 Create Tables
Purpose
Table stores firewall objects.
Command
sudo nft add table inet filter
Explanation
inet works for both IPv4 and IPv6.
Enterprise Recommendation
Use inet table whenever possible.
Show tables
sudo nft list tables
Step 5 Create Base Chains
Purpose
Entry point where packets enter and out for filtering process.
🚫 Reject the packet
❌ Drop the packet
✅ Allow the packet
Input Chain
sudo nft add chain inet filter input { type filter hook input priority 0 ; }
OR
sudo nft add rule inet filter input ct state established,related accept
Input = Traffic to the Linux machine.
🚫 Reject the packet
❌ Drop the packet
✅ Allow the packet
How Packets are filters
Internet
▼
Network Interface (eth0)
▼
Input Chain check packts
Firewall Checks
5 more items...
Accept
1 more item...
Drop
1 more item...
Reject
1 more item...
1 more item...
NFTABLES
Rules (Implementation)
Definition
A Rule is the smallest executable configuration inside nftables.
A rule tells the Linux kernel:
If a packet matches these conditions
Then perform this action.
Rule Flow
Network Packet Arrives
↓
Table
↓
Chain
↓
Rule 1
Match?
Yes
Execute Action
No
Continue to Next Rule
↓
Rule 2
Match?
Yes
Execute Action
No
Continue
↓
Chain Policy
Rule Structure
General Syntax
nft add rule family table_name chain_name match_conditions action
Components
nft
nftables command line utility.
add
Creates a new rule.
rule
Object being created.
family
Protocol family.
ip
IPv4
ip6
IPv6
inet
IPv4 and IPv6 together
arp
Address Resolution Protocol
bridge
Ethernet Bridge filtering
netdev
Network Device ingress filtering
table_name
Container where chains exist.
chain_name
Chain that processes packets.
match_conditions
Conditions that must be true before action is executed.
action
Operation performed when all conditions match.
Rule Evaluation
Packet enters chain
↓
Rule 1
Condition matched?
Yes
Execute action
Stop if verdict is final
No
Next rule
Rule 2
Same process
Rule 3
Same process
Continue until
Accept
Drop
Reject
Queue
Return
End of chain
If no rule matches
Apply chain default policy
Rule Processing Order
Rules execute sequentially.
Top to bottom.
First matching terminal verdict usually stops further processing.
Example
Rule 1
Accept SSH
Rule 2
Drop Telnet
Rule 3
Accept HTTP
Rule 4
Drop Everything Else
Rule Components
Match Conditions
Purpose
Decide whether packet satisfies specified criteria.
Source Address
Match sender IP address.
Command
nft add rule inet filter input ip saddr 192.168.1.10 accept
Meaning
ip
IPv4 packet
saddr
Source address
192.168.1.10
Allowed sender
Destination Address
Match destination IP.
Command
nft add rule inet filter output ip daddr 8.8.8.8 accept
Source Network
Command
nft add rule inet filter input ip saddr 192.168.1.0/24 accept
Explanation
/24
CIDR subnet mask
Network contains 256 addresses.
Destination Network
Command
nft add rule inet filter output ip daddr 10.10.20.0/24 accept
Incoming Interface
Command
nft add rule inet filter input iifname eth0 accept
Explanation
iifname
Incoming Interface Name
Outgoing Interface
Command
nft add rule inet filter output oifname eth1 accept
Explanation
oifname
Outgoing Interface Name
Protocol Match
IPv4
ip protocol tcp
IPv6
ip6 nexthdr tcp
inet
tcp
udp
icmp
icmpv6
TCP Source Port
Command
nft add rule inet filter input tcp sport 22 accept
TCP Destination Port
Command
nft add rule inet filter input tcp dport 22 accept
UDP Source Port
Command
nft add rule inet filter input udp sport 53 accept
UDP Destination Port
Command
nft add rule inet filter input udp dport 53 accept
Multiple Ports
Command
nft add rule inet filter input tcp dport {22,80,443} accept
Port Range
Command
nft add rule inet filter input tcp dport 1000-2000 accept
ICMP Type
Command
nft add rule inet filter input icmp type echo-request accept
ICMPv6 Type
Command
nft add rule inet filter input icmpv6 type echo-request accept
Packet Length
Command
nft add rule inet filter input meta length 0-512 accept
Packet Mark
Command
nft add rule inet filter input meta mark 100 accept
User ID
Command
nft add rule inet filter output meta skuid 1000 accept
Group ID
Command
nft add rule inet filter output meta skgid 1000 accept
Process Name
Available through metadata matching depending on kernel support.
Ethernet Source MAC
Command
nft add rule bridge filter input ether saddr aa:bb:cc:dd:ee:ff accept
Ethernet Destination MAC
Command
nft add rule bridge filter input ether daddr ff:ff:ff:ff:ff:ff accept
VLAN ID
Command
nft add rule bridge filter input vlan id 100 accept
DSCP
Command
nft add rule inet filter input ip dscp cs1 accept
TTL
Command
nft add rule inet filter input ip ttl 64 accept
Hop Limit
Command
nft add rule inet filter input ip6 hoplimit 64 accept
Connection State
Requires Connection Tracking
States
new
established
related
invalid
untracked
Command
nft add rule inet filter input ct state established,related accept
Connection Status
confirmed
expected
seen-reply
Connection Mark
Command
nft add rule inet filter input ct mark 100 accept
Connection Label
Enterprise policy classification.
Time Match
Match packets according to configured schedules.
Rate Match
Limit packets per second.
Packet Size
Fragment Match
TCP Flags
SYN
ACK
FIN
RST
PSH
URG
Socket Match
CPU Match
Cgroup Match
FIB Lookup
Routing Realm
Security Context
SELinux integration.
Rule Actions
Accept
Meaning
Allow packet.
Command
nft add rule inet filter input tcp dport 22 accept
Drop
Meaning
Silently discard packet.
Command
nft add rule inet filter input tcp dport 23 drop
Reject
Meaning
Block packet and notify sender.
Command
nft add rule inet filter input tcp dport 23 reject
Continue
Meaning
Continue evaluating later rules.
Return
Meaning
Return to calling chain.
Jump
Meaning
Jump to another chain.
Command
nft add rule inet filter input jump ssh_chain
Goto
Meaning
Transfer permanently to another chain.
Queue
Meaning
Send packet to userspace through NFQUEUE.
Log
Purpose
Record packet details.
Command
nft add rule inet filter input log prefix "SSH "
Options
prefix
group
level
snaplen
queue-threshold
Counter
Purpose
Count packets and bytes.
Command
nft add rule inet filter input counter accept
Limit
Purpose
Rate limiting.
Command
nft add rule inet filter input limit rate 10/second accept
Meter
Purpose
Dynamic per-host rate limiting.
Set Mark
Command
nft add rule inet filter input meta mark set 100
Set Connection Mark
Command
nft add rule inet filter input ct mark set 100
DNAT
Destination Network Address Translation.
SNAT
Source Network Address Translation.
Masquerade
Dynamic Source NAT.
Redirect
Redirect packet locally.
TProxy
Transparent Proxy.
Duplicate
Send duplicate packet.
Fwd
Hardware forwarding.
Rule Ordering Best Practices
Accept established connections first.
Drop invalid packets early.
Allow management traffic.
Allow business applications.
Allow monitoring.
Allow backups.
Allow logging.
Drop unauthorized traffic.
Apply default chain policy.
Enterprise Rule Categories
Infrastructure Rules
SSH
DNS
NTP
DHCP
Web Rules
HTTP
HTTPS
Database Rules
MySQL
PostgreSQL
Oracle
SQL Server
Monitoring Rules
Zabbix
Prometheus
SNMP
Logging Rules
Syslog
Rsyslog
SIEM
Elastic Stack
Virtualization Rules
VMware
KVM
Hyper-V
Container Rules
Docker
Podman
Kubernetes
Cloud Rules
AWS
Azure
Google Cloud
Storage Rules
NFS
SMB
iSCSI
Security Rules
IDS
IPS
WAF
VPN
Zero Trust
Rule Management Commands
Display Rules
nft list ruleset
Display Table
nft list table inet filter
Display Chain
nft list chain inet filter input
Add Rule
nft add rule inet filter input tcp dport 22 accept
Insert Rule
nft insert rule inet filter input position 0 tcp dport 22 accept
Replace Rule
nft replace rule inet filter input handle HANDLE_NUMBER accept
Delete Rule by Handle
nft delete rule inet filter input handle HANDLE_NUMBER
Flush Chain
nft flush chain inet filter input
Flush Table
nft flush table inet filter
Configuration Files
Main Configuration
/etc/nftables.conf
Include Directory
/etc/nftables/
Runtime Rules
Stored inside kernel memory.
Save Rules
nft list ruleset > /etc/nftables.conf
Load Rules
nft -f /etc/nftables.conf
Service Management
Enable Service
systemctl enable nftables
Start Service
systemctl start nftables
Restart Service
systemctl restart nftables
Stop Service
systemctl stop nftables
Status
systemctl status nftables
Enterprise Best Practices
Use inet family whenever possible.
Follow least privilege.
Keep rule order optimized.
Place specific rules before general rules.
Use named sets instead of duplicate rules.
Separate production, development, and management traffic.
Log security events before dropping packets where appropriate.
Use counters for auditing and troubleshooting.
Use connection tracking to improve performance.
Use comments for documentation.
Store configuration in version control (Git).
Test changes before deployment.
Maintain backup copies of nftables.conf.
Review rules periodically for compliance and security.