Discover our new Ryzen 9 server here
Site Logo

Navigate Server4You
Dedicated ServerVirtual ServerFeaturesContact

nftables Configuration & Security

nftables is the modern successor to iptables, available since Linux Kernel 3.13. This guide shows how to set up a secure default-deny firewall with nftables.

iptables or nftables? On modern distributions (Debian 10+, Ubuntu 20.04+, RHEL 8+), nftables is the recommended standard. If you are running an existing server with iptables you can stay with it — for new servers we recommend nftables. View the iptables guide →

Order is critical! Only activate the default-deny policy after explicitly allowing SSH — otherwise you will lock yourself out immediately. Always keep a console connection available via the PowerPanel as a fallback.

nftables vs. iptables — Key Differences

Featureiptablesnftables
ToolingSeparate tools (ip6tables, arptables…)One unified tool for all protocols
ConfigurationLine-based commandsStructured rule files (readable like code)
PerformanceGoodBetter — optimized kernel bytecode
FutureLegacy, no longer actively developedActively developed, default on modern distros

1. Installation & Preparation

On most modern distributions nftables is already pre-installed. Install it if needed:

Install nftables (Debian/Ubuntu)
apt update && apt install nftables systemctl enable --now nftables
Install nftables (CentOS/RHEL)
dnf install nftables systemctl enable --now nftables

If existing iptables rules are active, flush them first to avoid conflicts:

Flush existing iptables rules (optional)
iptables -F iptables -X

2. Basic Rule Structure

nftables uses tables and chains. A table groups multiple chains together. Unlike iptables, tables and chains must be created explicitly before use.

Show current ruleset
nft list ruleset
Flush all rules (clean start)
nft flush ruleset

3. Set Up a Default-Deny Firewall

The recommended approach is to write a complete configuration file and load it. Create or edit /etc/nftables.conf:

/etc/nftables.conf
#!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; # Allow loopback iif lo accept # Allow established connections ct state established,related accept # Drop invalid packets ct state invalid drop # Allow SSH (port 22) tcp dport 22 accept # Allow HTTP and HTTPS tcp dport { 80, 443 } accept # Allow ICMP (ping) ip protocol icmp accept ip6 nexthdr icmpv6 accept } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy accept; } }

Load the configuration:

Load configuration
nft -f /etc/nftables.conf

Check your SSH port! If you run SSH on a port other than 22, update the value in the configuration before loading the rules.

4. Opening Individual Ports

Rules can either be added directly to the configuration file or applied via command at runtime:

Open an additional port (e.g. for a game server)

Add port to running configuration
nft add rule inet filter input tcp dport 25565 accept

Restrict database access to a specific IP

Critical ports like MySQL should only be opened for known, trusted IP addresses:

Allow MySQL for one IP only
nft add rule inet filter input ip saddr 192.0.2.5 tcp dport 3306 accept

Open a UDP port (e.g. for a game server)

Allow UDP port
nft add rule inet filter input udp dport 27015 accept

5. Rate Limiting & Protection

SSH Brute-Force Protection

Limits new SSH connection attempts to 5 per minute per IP — add these lines inside the input chain of your configuration file:

SSH rate limit
tcp dport 22 ct state new limit rate 5/minute accept tcp dport 22 ct state new drop

Drop Invalid Packets

Already included in the base configuration — drops packets that do not belong to any known connection:

Drop invalid packets
ct state invalid drop

Log Dropped Packets

Add this rule at the end of the input chain, just before the implicit DROP policy:

Enable logging
log prefix "nftables dropped: " level warn limit rate 5/minute

6. Verify & Save Rules Persistently

Show active rules

List all active rules
nft list ruleset

Save running rules to file

Export the current running configuration directly to the persistent config file:

Save configuration
nft list ruleset > /etc/nftables.conf

Enable service (auto-load on boot)

Enable nftables on startup
systemctl enable nftables systemctl restart nftables

When the nftables service is enabled, it automatically loads /etc/nftables.conf on every boot. Make sure the configuration file is always up to date after adding rules via command line.

Further Documentation

For a complete reference of all nftables options, refer to the official documentation.

nftables Wiki

Debian nftables Wiki