nftables Cheatsheet

Modern firewall.

Overview

nftables is the modern Linux firewall and the long-term replacement for iptables. Five primitives carry most operational use: unified inet syntax across v4/v6/ARP/bridge, atomic rule updates, native sets and maps, per-rule counters and quotas, JSON output for automation. Fluency turns network policy into clean, observable, atomically loaded rules instead of the historical iptables/ip6tables/arptables sprawl.

• Unified inet syntax. One tool covers IPv4, IPv6, ARP, and bridge filtering. Replaces the four-tool sprawl iptables left behind.
• Atomic updates. Rule changes apply as a single transaction. No partial-config window where some rules are loaded and others are not.
• Sets and maps. Native first-class support for IP and port sets. Concise rules that do not balloon line-by-line per address.
• Counters plus JSON output. Per-rule packet/byte counters and quotas; nft -j emits JSON for programmatic consumption. Observability and automation built in.

The approach

Tables and chains first, set-based rules for anything dynamic, atomic loads from a file under version control. Five idioms cover most operational nftables use; memorising them moves the team from "edit ruleset live" to confident, auditable firewall management.

• nft list ruleset. Print the full active ruleset. First move on any unfamiliar host.
• nft add table inet filter. Dual-stack table in the inet family. Replaces separate v4/v6 tables.
• Default-deny input chain. nft add chain inet filter input { type filter hook input priority 0; policy drop; }. Secure baseline by construction.
• Set-based rule plus atomic load. nft add rule inet filter input ip saddr @blocklist drop uses a named set; nft -f /etc/nftables.conf loads the whole policy atomically.

Why this compounds

Each rule captures policy as code. Counters surface which rules actually fire; named sets keep the policy compact as the blocklist grows. By year two the team's firewall reviews are reading set-membership diffs instead of hunting through hundreds of iptables -A lines.

• Better security. Atomic, set-based rules reduce attack surface and eliminate partial-config gaps. Hardened by construction.
• Faster debugging. Counters plus named sets produce visibility iptables never had. Investigation is "which rule fired" rather than "which rule should have fired."
• Cleaner configuration. Sets replace verbose rule lists. Maintainable firewalls survive the next person to touch them.
• Year-one investment, year-two habit. First year builds patterns; by year two, every new host ships with policy-as-code on day one.