How to Open Ports Using nftables

Last updated: November 17, 2024

Reviewed by: David Martinez
Baeldung Pro – Linux – NPI EA (cat = Baeldung on Linux)
announcement - icon

Learn through the super-clean Baeldung Pro experience:

>> Membership and Baeldung Pro.

No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.

1. Overview

In this tutorial, we’ll briefly look at nftables and how to use it to open ports. We’ll discuss the basics of nftables, its advantages over iptables, and how it serves as the modern firewall solution in Linux-based systems. Opening ports using nftables involves creating appropriate rules that control network traffic flow. These rules allow us to define which ports should be accessible/used.

2. nftables Setup and Syntax

nftables is a Linux-based firewall framework, introduced as a modern replacement for iptables. It was developed to provide a more unified, efficient, and flexible solution for packet filtering. Additionally, it operates on a single framework rather than managing separate tools for each protocol. nftables is part of the netfilter project and comes pre-packaged with Linux kernels version 3.13 and later. For distributions lacking it, we can easily install it:

$ sudo apt update
$ sudo apt install nftables

We usually interact with nftables through the terminal. Administrators can define policies for network traffic handling across various layers, including IPv4, IPv6, ARP, and bridge filtering. One of the nftables‘ main advantages is its simplified syntax, which reduces redundant rules and improves readability. For example, let’s look at the syntax:

$ nft <command> <subcommand> <chain> <rule definition>

This structure allows us to define, modify, and view firewall rules in a clear, logical sequence:

  • nft is the command-line utility that interacts with the nftables subsystem.
  • The <command> tells nft the action we want to take, such as add, delete, list, or flush.
  • Following, we have the subcommand which specifies the object we are interacting with e.g. chain, table, or rule.
  • Next, we have chain, which specifies where the rule will apply (input, output, or forward). Chains are organized within tables, so specifying the chain directs the rule to the correct traffic flow.
  • Finally, we’ve got rule definition, which defines the specific criteria and actions for traffic within the chain. Rule definitions typically include the protocol (such as tcp or udp), port number (dport 80), and action (accept, drop).

For instance, if we want to allow HTTP traffic on port 80 in the input chain, we use:

$ nft add rule inet filter input tcp dport 80 accept

This command allows incoming HTTP traffic.

3. Opening Ports Using nftables

Now that we’ve described nftables, let’s look at how to use it to open ports. First, let’s ensure nftables is active:

$ sudo systemctl status nftables

If it’s not active let’s activate it and also enable it to run on startup:

$ sudo systemctl enable nftables
$ sudo systemctl start nftables

With nftables up and running, let’s now configure the specific ports we want open.

3.1. The /etc/nftables.conf File

As mentioned earlier, in nftables, we typically create tables, chains, and rules. Tables group related rules, chains define the type of traffic flow (input, output, or forward), and rules specify actions for specific traffic types. Let’s see how to manage the configuration by modifying the /etc/nftables.conf file. To start, let’s open the nftables configuration file:

$ sudo vi /etc/nftables.conf

By default, the file looks like:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority filter;
	}
	chain forward {
		type filter hook forward priority filter;
	}
	chain output {
		type filter hook output priority filter;
	}
}

Let’s modify the configuration to include a table and a chain for managing incoming traffic:

table inet filter { 
         chain input { 
               type filter hook input priority 0; policy drop; 
               #allow loopback interface traffick 
               iif "lo" accept

Here, we’ve defined a table named inet filter with a default policy to drop all incoming connections. This makes the firewall more secure by only allowing explicitly defined traffic. Additionally, we allowed traffic coming from the loopback interface, which is typically used for local communication on the system. Before allowing traffic through specific ports, let’s first allow incoming traffic that is part of an established connection or related to an established connection. This is crucial for maintaining active connections. We’ll then add rules under the input chain to open port 80 (HTTP) and port 443 (HTTPS):

		#Allow established connections
		ct state established,related accept
		
		#Open ports 80 and 443 for web traffic
		tcp dport 80 accept
		tcp dport 443 accept
	}

Every time we update the /etc/nftables.conf file, we need to save the file and apply the changes:

$ sudo nft -f /etc/nftables.conf

3.2. Running nftables Through the Terminal

Alternatively, we can add similar lines through the terminal without necessarily editing the nftables.conf file. Let’s allow both SSH and DNS through the terminal:

$ sudo nft add rule inet filter input tcp dport 22 accept
$ sudo nft add rule inet filter input udp dport 53 accept
$ sudo nft add rule inet filter input tcp dport 53 accept

Since all configurations are written to the /etc/nftables.conf file, the settings are persistent and aren’t lost on reboot. Let’s check our rules:

$ sudo nft list ruleset

This displays our current ruleset, showing open ports and chain policies:   image showing the output of list ruleset From the image above, we can see that the chain input only has the ports we’ve explicitly allowed. Any port that is not on this list and is not part of the established and related connections can’t pass traffic.

4. Other nftables Features and Advantages

A key feature of nftables is its use of a single data structure to store filtering rules across all protocols. This unified design is more memory-efficient, enabling the firewall to handle more rules without experiencing the performance issues typical of older systems. Additionally, nftables compiles its rules into bytecode that runs directly in the kernel, accelerating packet processing and lowering latency. Subsequently, nftables enhances logging capabilities with advanced features like custom log formatting and rate limiting, offering greater flexibility and detail in network traffic monitoring. It also supports dynamic updates, enabling administrators to modify rules without reloading the entire configuration. This minimizes the risk of downtime and improves real-time responsiveness. Another advantage of nftables is its compatibility with high-level frontends like firewalld, which abstracts firewall configuration further. This makes it easier for less experienced users to manage or edit it. In addition, nftables integrates with other tools and frameworks, enabling configuration and management across diverse environments. Lastly, using constructs like sets, maps, and concatenations allows administrators to avoid repetitive rules, making configurations more manageable and less error-prone. For instance, an administrator can create a set of IP addresses or ports and apply a single rule to that set, rather than writing separate rules for each address or port as required by iptables. This approach minimizes potential mistakes and makes the firewall configuration easier to read and maintain.

5. Conclusion

In this article, we’ve briefly discussed what nftables is and how it works. Using nftables to open ports provides us with a powerful and flexible way to control network traffic. By defining tables, chains, and rules, we create a firewall that meets our specific needs, allowing fine-grained control over network traffic. With careful rule configuration, nftables helps secure Linux environments efficiently while maintaining essential connectivity. Lastly, we also looked at how we can open ports either through the terminal or by editing the /etc/nftables.conf file.