NFTables Explained

nftables is the successor to iptables in the Linux kernel. Ubuntu 22.04+ uses nftables as the actual backend for both UFW and iptables (via compatibility wrappers). Understanding nftables is valuable when: you need to write complex rules that are hard to express in iptables syntax, you want to take advantage of sets and maps for efficient multi-IP or multi-port rules, or you are writing rules for a modern Ubuntu server where iptables is deprecated.

Why nftables replaced iptables

Featureiptablesnftables
IPv4/IPv6Separate tools (iptables/ip6tables)Single tool handles both
Rule performanceEach rule evaluated individuallySets allow O(1) lookup for IPs/ports
Atomic rule updatesNo (rules apply one at a time)Yes (entire ruleset applied atomically)
Rule syntaxOne tool per table typeSingle unified nft syntax

Core concepts: tables, chains, rules, sets

# nftables structure:
# Tables: address families (ip, ip6, inet, arp, bridge)
# Chains: hook points (input, forward, output, prerouting, postrouting)
# Rules: match + verdict (accept, drop, reject, return)
# Sets: collections of IPs/ports for efficient matching

# View current nftables ruleset
sudo nft list ruleset

# View tables
sudo nft list tables

Writing nftables rules

# Create a basic filter ruleset
sudo nft add table inet filter
sudo nft add chain inet filter input '{ type filter hook input priority 0; policy drop; }'
sudo nft add chain inet filter output '{ type filter hook output priority 0; policy accept; }'

# Add rules:
# Allow loopback
sudo nft add rule inet filter input iif lo accept

# Allow established connections
sudo nft add rule inet filter input ct state established,related accept

# Allow SSH
sudo nft add rule inet filter input tcp dport 22 accept

# Allow HTTP/HTTPS
sudo nft add rule inet filter input tcp dport '{80, 443}' accept
# Better approach: write a complete ruleset file and apply atomically
sudo nano /etc/nftables.conf

/etc/nftables.conf — complete server ruleset

#!/usr/sbin/nft -f
flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        iif lo accept                          # Loopback
        ct state invalid drop                  # Drop invalid connections
        ct state established,related accept    # Allow established
        ip6 nexthdr icmpv6 accept             # Allow ICMPv6
        ip protocol icmp accept               # Allow ICMP ping

        tcp dport 22 accept                   # SSH
        tcp dport { 80, 443 } accept          # HTTP/HTTPS
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}
# Apply the ruleset
sudo nft -f /etc/nftables.conf

# Enable nftables service (applies /etc/nftables.conf on boot)
sudo systemctl enable --now nftables

Common rule examples

# Block a set of IP addresses using a set (much more efficient than separate rules)
sudo nft add set inet filter blocked_ips '{ type ipv4_addr; }'
sudo nft add element inet filter blocked_ips '{ 1.2.3.4, 5.6.7.8 }'
sudo nft add rule inet filter input ip saddr @blocked_ips drop

# Rate limit SSH (like fail2ban but built into nftables)
sudo nft add rule inet filter input tcp dport 22 ct state new limit rate 5/minute accept
sudo nft add rule inet filter input tcp dport 22 drop    # Drop excess

# NAT masquerade
sudo nft add table nat
sudo nft add chain nat postrouting '{ type nat hook postrouting priority 100; }'
sudo nft add rule nat postrouting oif ens3 masquerade

nftables vs iptables syntax

iptablesnftables equivalent
iptables -A INPUT -p tcp --dport 22 -j ACCEPTnft add rule inet filter input tcp dport 22 accept
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPTnft add rule inet filter input ct state established accept
iptables -m multiport --dports 80,443 -j ACCEPTnft add rule inet filter input tcp dport '{80, 443}' accept
iptables -s 192.168.1.0/24 -j ACCEPTnft add rule inet filter input ip saddr 192.168.1.0/24 accept

Conclusion

For most Ubuntu servers, UFW remains the easiest way to manage firewall rules. nftables is worth learning for complex scenarios: large IP blocklists (use sets for performance), atomic ruleset replacement, or when you want to understand what UFW and iptables are actually generating underneath. Write your rules to /etc/nftables.conf and enable the nftables service for persistence. Check the current state anytime with sudo nft list ruleset.

FAQ

Why should administrators understand NFTables Explained?+

Because this topic affects planning decisions, server lifecycle, compatibility, support expectations, or how you reason about Ubuntu systems before making operational changes.

Do I need a lab for this topic?+

A lab is useful for checking commands and seeing the concept on a real Ubuntu machine, but the main value is understanding the decision, tradeoff, or system behavior clearly.

How should I use this knowledge in production?+

Use it to make better choices, document why those choices were made, and avoid rushed changes that ignore support windows, compatibility, stability, or operational risk.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support