Table of Contents
What Is nf_tables?
nf_tables is the modern Linux packet filtering framework. It is the successor to iptables and is built into the Linux kernel. Its job is simple: decide what to do with every network packet that passes through your Linux machine — allow it, block it, modify it, or redirect it.
You interact with it through the nft command-line tool.
A Simple Analogy
Think of your Linux machine as a post office.
Every letter (network packet) that arrives or leaves goes through a sorting room. The sorting room has a set of rules posted on the wall:
- “Letters from address 192.168.1.0 — deliver normally”
- “Letters to port 22 — only accept from internal network”
- “Letters marked as suspicious — throw away”
nf_tables is that sorting room and its rulebook.
Core Concepts
1. Tables
A table is a container that holds rules. You create a table and give it a name.
nft add table inet my_firewallThe inet means it handles both IPv4 and IPv6 traffic.
2. Chains
A chain is a list of rules inside a table. Chains are attached to specific points in the packet’s journey:
| Hook Point | When It Triggers |
|---|---|
prerouting | Packet just arrived, before routing decision |
input | Packet destined for this machine |
forward | Packet passing through this machine |
output | Packet generated by this machine |
postrouting | Packet about to leave |
nft add chain inet my_firewall input { type filter hook input priority 0 \; policy drop \; }3. Rules
A rule is a single condition + action. Rules are evaluated top to bottom.
# Allow established connections
nft add rule inet my_firewall input ct state established,related accept
# Allow SSH from a specific IP
nft add rule inet my_firewall input ip saddr 10.0.0.5 tcp dport 22 accept
# Drop everything else (already set by policy drop above)4. Verdict
Every rule ends with a verdict — what to do with the packet:
See also: Mastering the Linux Command Line — Your Complete Free Training Guide
| Verdict | Meaning |
|---|---|
accept | Let it through |
drop | Silently discard |
reject | Discard and send error back |
jump | Go to another chain |
return | Go back to the calling chain |
nf_tables vs iptables
| Feature | iptables | nf_tables |
|---|---|---|
| Syntax | Verbose, separate commands | Clean, grouped in one file |
| IPv4 + IPv6 | Separate tools (ip6tables) | Unified (inet family) |
| Performance | Rule-by-rule scanning | Optimized with maps and sets |
| Atomic updates | Hard (rule-by-rule) | Yes (transactional) |
| Kernel version | Legacy | Modern (kernel 3.13+) |
A Real-World Example
Set up a basic firewall that:
- Allows all outgoing traffic
- Allows established incoming connections
- Allows SSH (port 22)
- Drops everything else
# Create table
nft add table inet firewall
# Create input chain, default policy = drop
nft add chain inet firewall input { type filter hook input priority 0 \; policy drop \; }
# Create output chain, default policy = accept
nft add chain inet firewall output { type filter hook output priority 0 \; policy accept \; }
# Allow loopback (localhost traffic)
nft add rule inet firewall input iif lo accept
# Allow already-established connections
nft add rule inet firewall input ct state established,related accept
# Allow SSH
nft add rule inet firewall input tcp dport 22 acceptView your ruleset:
nft list rulesetWhere nf_tables Lives in the Kernel
User space Kernel space
----------- --------------------------------
nft (CLI) ---> nf_tables subsystem
|
Netfilter hooks
|
[prerouting] [input] [forward] [output] [postrouting]
|
Network stack (TCP/IP)The nft tool talks to the kernel via Netlink (a special kernel/userspace socket), and the kernel evaluates rules entirely in kernel space — which is why it is very fast.
Key Takeaways
nf_tablesis the modern Linux firewall engine, built into the kernel- Rules are organized into tables → chains → rules
- It replaces
iptableswith cleaner syntax and better performance - Used by Docker, Kubernetes,
firewalld, and many other tools under the hood - You manage it with the
nftcommand
