Nftables/Examples

On this page several example nftable configurations can be found. The first two examples are skeletons to illustrate how nftables works. The third and fourth exmaple show how, using nftables, rules can be simplified by combining IPv4 and IPv6 in the generic IP table 'inet'. The fifth example shows how nftables can be combined with bash scripting.

Basic routing firewall
The following is an example of nftables rules for a basic IPv4 firewall that: 1) only allows packets from lan to the firewall machine and 2) only allows packets a) from lan to wan and b) from wan to lan for connections established by lan.

Please note: for forwarding between wan and lan to work, it needs to be enabled with sysctl or in /proc/sys.

Basic NAT
The following is an example of nftables rules for setting up basic Network Address Translation (NAT) using masquerade. If you have a static IP, it would be slightly faster to use source nat (SNAT) instead of masquerade. This way the router would replace the source with a predefined IP, instead of looking up the outgoing IP for every packet.

Please note: masquerade is available in kernel 3.18 and up. When using NAT, be sure to unload or disable iptables NAT, as it will take precedence over nftables NAT.

Typical workstation (separate IPv4 and IPv6)
The following is an example of nftables rules for a typical workstation that recreates chains and tables known from iptables.

Typical workstation (combined)
The following is an example of nftables rules for a typical workstation that recreates chains and tables known from iptables. Here, the filtering sections for IPv4 and IPv6 are combined in the generic IP table 'inet'. The NAT sections remain separate, as inet doesn't support NAT chains.

Please note: inet is available in kernel 3.14 and up.

Stateful router example
The following is an example of nftables configuration script for a stateful router.