nftables is the modern successor to iptables, introduced in Linux 3.13 (2014) and the default firewall backend on most current distributions. It unifies IPv4, IPv6, ARP, and bridge filtering under a single framework, provides a cleaner rule language, supports named sets and maps for efficient lookups, and performs better on large rule sets than iptables does.
sudo nft list ruleset # current rules
sudo nft add table inet filter
sudo nft add chain inet filter input \
{ type filter hook input priority 0 \; policy drop \; }
sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input iif lo accept
sudo nft add rule inet filter input tcp dport 22 accept
Rules are written in an expression-style language closer to tcpdump's filters than iptables' flag soup. A single inet table handles both IPv4 and IPv6, eliminating the duplication iptables required. Sets (e.g. a list of IPs to block) can be updated atomically without reloading the ruleset.
Most distributions now ship iptables as a compatibility shim that translates old commands into nftables underneath. For new firewall configurations, write them in nftables directly. Tools like ufw and firewalld have both moved their backends to nftables and usually provide a more comfortable starting point than raw nft commands.
Discussed in:
- Chapter 12: Networking — Firewalls: iptables, nftables, ufw, firewalld
Also defined in: Textbook of Linux