Basic Commands
Table Management
# Create a new table
nft add table ip filter
# List all tables
nft list tables
# Delete a table
nft delete table ip filter
# Flush a table
nft flush table ip filter
Chain Operations
# Add a base chain
nft add chain ip filter input { type filter hook input priority 0 \; }
# Add a regular chain
nft add chain ip filter my_chain
# Delete a chain
nft delete chain ip filter input
# List chains
nft list chains
Rule Management
# Add a basic rule
nft add rule ip filter input tcp dport 22 accept
# Insert rule at position
nft insert rule ip filter input position 0 tcp dport 80 accept
# Delete rule at position
nft delete rule ip filter input handle 4
# List rules in a chain
nft list chain ip filter input
Advanced Usage
Sets & Maps
# Create a named set
nft add set ip filter blocked_ips { type ipv4_addr \; }
# Add elements to set
nft add element ip filter blocked_ips { 1.1.1.1, 2.2.2.2 }
# Create a map
nft add map ip filter port_map { type inet_service : verdict \; }
# Add map elements
nft add element ip filter port_map { 80 : accept, 443 : accept }
Advanced Rules
# Rate limiting
nft add rule ip filter input tcp dport 80 limit rate 10/second accept
# Connection tracking
nft add rule ip filter input ct state established,related accept
# NAT rules
nft add rule ip nat prerouting tcp dport 80 dnat to 192.168.1.100
# Load balancing
nft add rule ip filter forward numgen random mod 2 vmap { 0 : jump server1, 1 : jump server2 }
Variables & Expressions
# Define variables
define SSH_PORT = 22
nft add rule ip filter input tcp dport $SSH_PORT accept
# Complex expressions
nft add rule filter input tcp flags \& (fin|syn) == (fin|syn) drop
# String matching
nft add rule filter output msg "pattern" drop
Stateful Operations
# Connection tracking timeout
nft add rule filter input tcp dport 80 ct state new ct timeout 30s accept
# Connection limiting
nft add rule filter input tcp dport 80 ct count 10 accept
# State syncing
nft add rule filter forward ct state established,related accept
Policy Management
Base Policies
# Set chain policy
nft add chain ip filter input { type filter hook input priority 0 \; policy drop \; }
# Atomic ruleset replacement
nft -f ruleset.nft
# Export ruleset
nft list ruleset > backup.nft
Performance Tuning
# Set queue number
nft add rule filter output queue num 1
# Use hardware offloading
nft add rule filter input tcp dport 80 flow add @hw
# Set priorities
nft add chain filter input { type filter hook input priority -300 \; }
Monitoring & Debugging
Logging
# Enable logging
nft add rule filter input log prefix "INPUT-DROP: " drop
# Monitor traffic
nft monitor trace
# Debug rule matching
nft add rule filter input tcp dport 80 meta nftrace set 1 accept
Statistics
# View counters
nft list counters
# Reset statistics
nft reset counters
# Add quotas
nft add quota filter download over 1024 bytes drop
References
- Based on nftables 1.0.5
- For more details: NFTables Wiki
- Netfilter Documentation
0 Comments for this cheatsheet. Write yours!