🎁 New User? Get 20% off your first purchase with code NEWUSER20 Register Now →
Menu

Categories

Home » Learn » Linux Commands » nft

nft Command

Advanced Firewall & Security man(1)

nftables command line tool (modern firewall)

👁 12 views 📅 Updated: Mar 15, 2026
SYNTAX
nft [OPTION]... [COMMAND]

What Does nft Do?

nft is the command-line tool for nftables, the modern replacement for iptables. nftables provides unified IPv4/IPv6 packet filtering, NAT, and classification with a cleaner, more consistent syntax.

nftables is the default firewall framework in newer Linux distributions (Debian 10+, RHEL 8+). It replaces iptables, ip6tables, arptables, and ebtables with a single framework.

nft uses tables, chains, and rules similar to iptables but with a more readable syntax. It supports sets, maps, and concatenations for more efficient rule matching.

Options & Flags

OptionDescriptionExample
list ruleset Show all rules sudo nft list ruleset
add table Create a table sudo nft add table inet filter
add chain Create a chain sudo nft 'add chain inet filter input { type filter hook input priority 0; }'
add rule Add a rule sudo nft add rule inet filter input tcp dport 80 accept
flush ruleset Clear all rules sudo nft flush ruleset
delete rule Remove a rule by handle sudo nft delete rule inet filter input handle 5

Practical Examples

#1 List all rules

Shows the complete firewall ruleset.
$ sudo nft list ruleset

#2 Allow SSH and web

Allows SSH, HTTP, and HTTPS using a set.
$ sudo nft add rule inet filter input tcp dport { 22, 80, 443 } accept

#3 Block IP

Drops all traffic from a specific IP.
$ sudo nft add rule inet filter input ip saddr 192.168.1.100 drop

#4 Save rules

Saves the current ruleset to a file for persistence.
$ sudo nft list ruleset > /etc/nftables.conf

#5 Load rules

Loads rules from a file.
$ sudo nft -f /etc/nftables.conf

Tips & Best Practices

nftables replaces iptables: nftables is the modern successor. Most distributions still support iptables through compatibility layers, but new setups should use nft.
Sets for efficiency: nft supports sets: tcp dport { 80, 443, 8080 } accept. More efficient than multiple rules.
Rules are not persistent by default: Save with nft list ruleset > /etc/nftables.conf. Enable nftables.service for automatic loading on boot.

Frequently Asked Questions

What is nftables?
nftables is the modern Linux firewall framework, replacing iptables. It offers cleaner syntax and better performance.
Should I use nft or iptables?
For new setups, use nft (or frontends like ufw/firewall-cmd). iptables works via compatibility layer on modern kernels.
How do I make nft rules permanent?
sudo nft list ruleset > /etc/nftables.conf and enable the nftables systemd service.

Related Commands

firewall-cmd

firewalld command line client (RHEL/CentOS)

 ip

Show and manipulate network interfaces, routing, and tunnels

 iptables

Configure Linux kernel packet filtering firewall rules

 ss

Show socket statistics (modern replacement for netstat)

 ufw

Uncomplicated Firewall - easy iptables management

More Firewall & Security Commands

certbot

Lets Encrypt client for obtaining SSL/TLS certificates

 fail2ban-client

Fail2ban client to manage ban rules

 firewall-cmd

firewalld command line client (RHEL/CentOS)

 gpg

GNU Privacy Guard - encrypt and sign data

 iptables

Configure Linux kernel packet filtering firewall rules

 md5sum

Compute and verify MD5 message digests

 openssl

OpenSSL command line tool for cryptography and SSL/TLS

 sha256sum

Compute and verify SHA-256 message digests

 shred

Securely overwrite and optionally delete files

 ufw

Uncomplicated Firewall - easy iptables management
netstat Command 📋 All Commands nice Command →

Master Linux with Professional eBooks

Curated IT eBooks covering Linux, DevOps, Cloud, and more

Browse Books →