Create a basic IPv4 table

• nft add table inet filter

List that table

• nft list table inet filter

table inet filter {
}

Create a chain for input,output,forward traffic IPv4

• nft add chain inet filter input { type filter hook input priority 0\; }
• nft add chain inet filter output { type filter hook output priority 0\; }
• nft add chain inet filter forward { type filter hook forward priority 0\; }

Conntracking for input,output,forward

• nft add rule inet filter input ct state established,related counter accept
• nft add rule inet filter output ct state established,related counter accept
• nft add rule inet filter forward ct state established,related counter accept

loopback interface traffic is ok

• nft add rule inet filter input iifname "lo" counter accept
• nft add rule inet filter output oifname "lo" counter accept

A rule to check that ssh,http,https input is fine (IPv4)

• nft add rule inet filter input tcp dport 22 counter accept
• nft add rule inet filter input tcp dport 80 counter accept
• nft add rule inet filter input tcp dport 443 counter accept

A rule to check that output is fine (IPv4)

• nft add rule inet filter output counter accept

A rule to check that some forward is fine (IPv4)

• nft add rule inet filter forward iifname "ens19" oifname "ens18" tcp dport 22 counter accept
• nft add rule inet filter forward iifname "ens19" oifname "ens18" tcp dport 443 counter accept

List that table

• nft list table inet filter

Flush rules in chain filter/input

• nft flush chain inet filter input

Delete the chain filter/input

• nft delete chain inet filter input

Delete the table filter

• nft delete table inet filter

Links

• https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
• https://wiki.archlinux.org/index.php/nftables