1. Linux / Linux - Różne
  2. Linux / Linux - Różne
  3. Linux / Linux - Różne
MC, 2025
Ilustracja do artykułu: Command linux nft – A Complete Guide to Using nftables on Linux

Command linux nft – A Complete Guide to Using nftables on Linux

If you're familiar with Linux networking, then you've probably come across the powerful firewall tool called nftables. nftables is a modern replacement for iptables, designed to provide a simpler, more efficient way to manage packet filtering, network address translation (NAT), and other firewall functionalities. In this article, we will explore the Command linux nft and walk you through practical examples to help you master nftables for securing and managing your Linux-based network systems. So, buckle up, and let's dive into the world of nftables!

What is nftables?

Before we jump into the Command linux nft syntax and examples, let's start with a quick overview of what nftables is and why it's so important in Linux networking.

nftables is a framework that provides packet filtering, network address translation (NAT), and other networking functions on Linux. It was introduced as a replacement for the older iptables framework and is included by default in Linux kernel version 3.13 and later. With nftables, you can define complex filtering rules and configurations for network traffic on your system.

The main advantage of nftables over iptables is its streamlined configuration syntax, better performance, and enhanced flexibility. While iptables relied on separate tools for IPv4 and IPv6, nftables merges these into a single tool that works with both, making it more efficient and easier to manage.

Why Use nftables Instead of iptables?

For many years, iptables was the go-to tool for managing firewalls on Linux systems. However, nftables provides several improvements that make it a better choice for modern network security:

  • Unified configuration: nftables simplifies the configuration process by combining both IPv4 and IPv6 into a single framework.
  • Improved performance: nftables is designed to be more efficient than iptables, which translates into better performance, especially when dealing with large numbers of rules.
  • Ease of use: nftables provides a more intuitive and user-friendly syntax, making it easier for administrators to configure firewall rules and manage network traffic.
  • Better support for modern technologies: nftables offers better support for new protocols and features, such as the use of sets and maps for more efficient rule handling.

How to Use the Command linux nft

Now that we've covered the basics of nftables, it's time to look at how to use the Command linux nft to manage firewall rules and network traffic. Below are some of the most common commands and examples that will help you get started with nftables.

1. Displaying Current Rules

One of the first things you'll want to do when working with nftables is to view your existing firewall rules. The nft list ruleset command allows you to see all of the active rules and configurations on your system.

sudo nft list ruleset

This will output the current ruleset for nftables, showing you how traffic is being filtered and which chains are active. If no rules are defined yet, you'll see an empty output.

2. Creating a Basic Table

In nftables, the configuration is organized into tables, chains, and rules. A table is a container for chains, and a chain holds the individual rules. To create a basic table, you can use the following command:

sudo nft add table inet filter

This command creates a new table named filter under the inet family, which supports both IPv4 and IPv6. The inet family is the recommended choice for most configurations.

3. Adding Chains to a Table

Once you've created a table, the next step is to add chains to it. Chains define the flow of packets through the firewall. The most common chains are input, output, and forward, which are used for filtering inbound, outbound, and forwarded traffic, respectively.

sudo nft add chain inet filter input { type filter hook input priority 0 \; }

This command adds a new chain named input to the filter table. The type filter option specifies that the chain is used for packet filtering, and the hook input option ties the chain to the input traffic hook.

4. Adding Rules to a Chain

With the table and chain created, you can now begin adding rules to define how packets should be handled. For example, to allow incoming traffic on port 80 (HTTP), you can use the following rule:

sudo nft add rule inet filter input tcp dport 80 accept

This command tells nftables to allow incoming TCP traffic on port 80. The accept action means that matching packets will be allowed through the firewall.

5. Using Sets for More Efficient Rule Handling

One of the powerful features of nftables is the ability to use sets. A set is a collection of elements (such as IP addresses or ports) that can be referenced in multiple rules. Using sets can make your rule set more efficient and easier to manage.

For example, you could create a set of IP addresses that are allowed to access your server:

sudo nft add set inet filter allowed_ips { type ipv4_addr \; }

Now, you can add a rule that allows incoming traffic from any IP address in the allowed_ips set:

sudo nft add rule inet filter input ip saddr @allowed_ips accept

This allows incoming traffic from the IP addresses in the allowed_ips set. You can easily add or remove IPs from the set as needed.

6. Flushing the Ruleset

At some point, you may need to clear or reset your nftables rules. The nft flush command allows you to delete all rules in a given table or chain.

sudo nft flush ruleset

This command will remove all rules from all tables and chains. Use it with caution, as it will effectively disable your firewall.

7. Saving the Configuration

By default, nftables rules are not persistent after a system reboot. To make your rules persistent, you'll need to save them to a file and ensure that nftables reloads them on startup.

sudo nft list ruleset > /etc/nftables.conf

After saving the ruleset, you can enable nftables to load the configuration at boot time:

sudo systemctl enable nftables

Practical Examples of Command linux nft

Let's walk through a few practical examples to illustrate how you can use the Command linux nft to secure your Linux systems.

Example 1: Basic Firewall Setup

This simple setup will create a basic firewall that allows incoming traffic on HTTP and HTTPS ports, while denying all other traffic:

sudo nft add table inet filter
sudo nft add chain inet filter input { type filter hook input priority 0 \; }
sudo nft add rule inet filter input tcp dport { 80, 443 } accept
sudo nft add rule inet filter input drop

Example 2: Blocking a Specific IP Address

If you want to block traffic from a specific IP address, you can add a rule like this:

sudo nft add rule inet filter input ip saddr 192.168.1.100 drop

This will drop all incoming traffic from the IP address 192.168.1.100.

Conclusion

The Command linux nft is an essential tool for managing firewalls and securing Linux systems. Whether you're setting up a simple firewall, configuring complex rules for a corporate network, or experimenting with new features like sets, nftables offers the flexibility and performance you need. By following the examples in this guide, you should now feel confident in using nftables to protect and manage your Linux-based systems.

Remember, the key to mastering nftables is practice. The more you use it, the more intuitive it becomes. So go ahead and start creating your own firewall rules today – your Linux system will thank you!

Komentarze (0) - Nikt jeszcze nie komentował - bądź pierwszy!

Imię:
Treść: