Digital Garden

Recent Notes

access-control
addons
Addons Branch
administration

❯

❯

Nftables

Apr 28, 20261 min read

tech
linux
administration
security
networking
firewall
notes

Nftables

nftables is Linux’s modern firewall and packet classification framework.

It is important because network policy should be precise, reviewable, and maintainable. nftables improves that situation by giving Linux a cleaner model for filtering, NAT, sets, maps, and protocol-family handling than the older fragmented rule stacks.

Why it matters

Consolidates filtering, NAT, and packet mangling in one framework.
Simplifies firewall rule management across IPv4 and IPv6.
Improves maintainability compared to legacy rule stacks.

Core concepts

Tables and chains organize policy.
Base chains connect rules to hooks such as input, forward, and output.
Sets and maps make larger policies more maintainable and expressive.
Rulesets should be treated as versioned infrastructure artifacts rather than as ad hoc shell history.

Operational use

Define base chains for input/output/forward policies.
Version and review rulesets as infrastructure code.
Combine with service-level hardening and monitoring.

Design cautions

Firewall policy should reflect actual service exposure and traffic assumptions, not only copied defaults.
Mixed environments need care during migration from legacy iptables conventions.
Network controls are only one layer of a host hardening strategy.

Related

OpenSSH
Systemd
Linux Administration in Datacenters
MOC Linux Administration and Security

Graph View

Nftables
Why it matters
Core concepts
Operational use
Design cautions
Related

Backlinks

MOC Computing DevOps and Software
CrowdSec
Fail2ban
Linux Administration in Datacenters
Linux Host Hardening Stack Patterns
MOC Linux Administration and Security
Security Branch
Networking Leaf
OpenSSH

Created with Quartz © 2026

Website
GitHub
ORCID
LinkedIn