nftables is a userspace tool to configure the Linux firewall.
The most useful commands:
nft -f /path/to/file:
/path/to/file,
"overwriting" the previous configuration.
nft list ruleset:
nft flush ruleset:
A minimal starting point for such a configuration file is presented in the following:
#!/bin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid drop
ct state { established, related } accept
iif lo accept
iif != lo ip daddr 127.0.0.1/8 drop
iif != lo ip daddr 127.0.1.1/8 drop
iif != lo ip6 daddr ::1/128 drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
ct state invalid drop
}
}
include "/etc/nftables.rules.d/*/*.rule"
Put this at e.g.
/etc/nftables.rules.
Configuration files to address specific needs,
e.g. opening ports 80 and 443 for a webserver,
should then be put at
/etc/nftables.rules.d/{input,output,forward}/*.rule.
They are then automatically applied due to the last line in
snippet above.
For example:
/etc/nftables.rules.d/input/tipidee.rule
with the following content:
#!/bin/nft -f
table inet filter {
chain input {
tcp dport 80 accept
tcp dport 443 accept
}
}
Finally, whenever the configuration is changed,
run nft -f /etc/nftables.rules.