Quick HowTos

• https://www.theurbanpenguin.com/using-nftables-in-centos-8/

Basic Architecture

• https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks

Common commands

sudo nft list ruleset  # you can direct this to /etc/nftables.conf as a simple way of backing up current rules.
sudo nft list tables
sudo nft list table <table-name>
sudo nft add rule nat prerouting iif bond0 ip daddr 23.228.169.145/32 dnat 10.64.40.11
sudo nft list table nat -a
sudo nft delete rule nat prerouting handle <numeric id>
systemctl restart nftables

NAT

https://wiki.nftables.org/wiki-nftables/index.php/Multiple_NATs_using_nftables_maps

More Reading

Why Use Netfilter NFTables?

It's better! Read https://wiki.debian.org/nftables

More Reading

• https://wiki.archlinux.org/index.php/nftable
• https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
• https://wiki.gentoo.org/wiki/Nftables/Examples
• https://wiki.gentoo.org/wiki/Nftables#systemd_configuration
• https://netfilter.org/projects/nftables/
• https://wiki.nftables.org/wiki-nftables/index.php/Classic_perimetral_firewall_example
• https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_connection_tracking_metainformation

Examples Using NFTables on Workstation

The inet table is available from Linux kernel 3.14 and allow to use a dual-stack IPv4/IPv6 table.

ref: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_workstation

apt-get remove iptables first and reboot (to get rid of iptables)

Ultra simple nftables.conf for local firewall using NFTables (for those of you used to using iptables)

table inet filter {
        chain input {
                 type filter hook input priority 0;

                 # accept any localhost traffic
                 iif lo accept

                 # accept traffic originated from us
                 ct state established,related accept

                 # accept neighbour discovery otherwise connectivity breaks
                 ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

                 # count and drop any other traffic
                 counter drop
        }
}

More Examples

nft add rule ip6 filter input tcp dport {telnet, http, https} accept

nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

Proxy

• https://github.com/torvalds/linux/blob/master/Documentation/networking/tproxy.txt

More

• https://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/?extIdCarryOver=true&sc_cid=701f2000001OH7TAAW
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking