Outsiders Republic

Music. Food. Travel. Tech.

Netfilter Tables Cheat Sheet

Kevin
Netfilter tables cheat sheet

This post is a cheat sheet describing some of the basic commands used to configure Netfilter Tables – nftables – using the nft command-line utility.

Netfilter Table Structure

Netfilter tables are organized hierarchically. Tables contain chains and chains contain rules, for example:

  • Table 1
    • Chain 1
      • Rule 1
      • Rule 2
    • Chain 2
      • Rule 3
  • Table 2
    • Chain 3
      • Rule 4

Basic Syntax

Tables, chains, and rules are set using nft

nft <command> <subcommand> <arguments ...>

Common Commands

  • list
  • add
  • insert
  • flush
  • delete

Common Subcommands

  • tables (plural)
  • table (singular)
  • chain
  • rule

Examples

List all tables

$ sudo nft list tables

Add a table named “mytable”

$ sudo nft add table mytable

Add a chain to a table

The command is the the form: nft add chain <table name> <filter name> { <filter properties> }

$ sudo nft add chain mytable input { type filter hook input priority 0 \; }

Add a rule to a chain

The command is in the form: nft add rule <table name> <filter name> <rule>

This example adds a rule to our input chain in mytable to accept all network traffic from localhost.

$ sudo nft add rule mytable input iif lo accept

Remove a rule from a chain

The command is in the form: nft remove rule <table name> <filter name> handle <N>, where N is a handle number. Since removing a rule requires knowing its handle, removing rules is a two-step process.

  1. Determine handle
  2. Enter remove rule command

Step 1: Determine the handle by listing the containing table using the -a option.

$ sudo nft list table mytable -a

You should see output like this:

table ip filter {
 chain input {
 type filter hook input priority 0; policy accept;
 iif "lo" accept # handle 2
 }
}

Step 2: Remove the rule with handle 2.

$ sudo nft delete rule mytable input handle 2

Flush a chain

Flushing a chain removes all rules from it but leaves the chain itself, including its properties, in place. The command is in the form: nft flush chain <table name> <chain name>

$ sudo nft flush chain mytable input

Delete a chain

Note: You can only delete an empty chain, so you’ll need to flush the chain before entering the delete command.

The command is in the form: nft delete chain <table name> <chain name>

$ sudo nft delete chain mytable input

Flush a table

Flushing a table removes all chains and rules from it but leaves the table itself in place. The command is in the form: nft flush table <table name>

$ sudo nft flush table mytable

Delete a table

Deleting a table removes the table and all its contents. The command is in the form nft delete table <table name>. Note: if your Linux kernel is earlier than 3.18, you’ll first need to flush the table before deleting it, otherwise you’ll get an error. If your kernel is 3.18 or later, you should be able to delete a table directly without flushing it.

$ sudo nft delete table mytable



Categories: Tech

Leave a Comment

Your email address will not be published. Required fields are marked *