How to Configure nftables to Serve Internet

September 22, 2015 | By in FIREWALL, LINUX HOWTO
| Reply More

Hello everyone! This time I will show how to install nftables on a Linux box to serve as firewall and internet gateway. How to build the Linux kernel with nftables enables, how to install nftables use-space and it's dependencies and how to the nft utility to perform network filtering and IP address translation.

The nftables project is intended to replace the current netfilter tools such as iptables, ebtables, arptables and the kernel-space infrastructure with a renewed one and a user-space tool, nft, which has a simplified and cleaner syntax, but maintains the essence of the tools that we use nowadays.

Check your kernel

Nftables is on Linux kernel tree since kernel 3.13 and you need just to enable symbols relative to nftables using usual kernel config tools and build it. However, the masquerade and redirect network address translation targets, were introduced in kernel 3.18 and 3.19 respectively and they are desired for NAT.

Get your kernel release number with the following command

uname -r

To check if nf_tables module is already compiled try this

modinfo nf_tables

You should see information relevant to the module, but if you get an error, you will need another kernel.

Building a nftables compatible kernel

Let's compile kernel 4.2, it is the latest stable kernel while i write this and has all we need for Nftables.

Enter /usr/src

cd /usr/src

Download xz package of the Linux kernel from

wget --no-check-certificate

Extract the sources on the xz package

tar Jxvf linux-4.2.tar.xz

Move your old Linux kernel tree

mv linux linux-old

Create a link to the new Linux tree

ln -s linux-4.2 linux

Copy your old .config to the new kernel tree

cp linux-old/.config linux/.config

And then enter the Linux kernel tree

cd linux

Now prepare your old .config for the new kernel with the olddefconfig target, which maintain your current kernel settings and set new symbols to default.

make olddefconfig

Now, use the menuconfig option to navigate through the curses-like menu and follow  options, that are related to nftables

make menuconfig

Networking support

menuconfig - network support

Networking options

Networking options

Network packet filtering framework (Netfilter)

Network packet filtering framework

Core Netfilter Configuration


Enter core Netfilter settings

Enable Netfilter nf_tables support and related modules

Enable nftables and related modules

Enable nftables and related modules

Now go up one level, back to main Netfilter settings and enter IP:Netfilter Configuration

Enter IPv4 Netfilter settings

Enter IPv4 Netfilter settings

There you enable NAT chain for nf_tables and also masquerading and redirect targets.

Enable Nftables NAT support for IPv4

Enable Nftables NAT support for IPv4

You are now done with nftables, remember to check if any kernel setting relative to your specific needs are not missing and save your .config

Then make and make the modules

make && make modules

Install your kernel to /boot manually, so you can use your old kernel if you miss something goes wrong.

cp arch/x86_64/boot/bzImage /boot/vmlinuz-4.2

cp /boot/

cp .config /boot/config-4.2

Install kernel modules

make modules_install


Some setups may need an initial ramdisk to boot, it will be the case if your root partition is under LVM,  RAID or the root filesystem's module was not built in the kernel.

The following example creates the compressed ramdisk file /boot/initrd-4.2gz, which will wait 8 seconds to boot  on the rootfs partition of vgroup logical volume group, it will load the modules for XFS and Ext4 filesystems from the kernel 4.2.0

mkinitrd -w 8 -c -u -f ext4 -m ext4:xfs -L -r /dev/vgroup/rootfs -k 4.2.0 -o /boot/initrd-4.2.gz

Add a new option to your bootloader pointing to your kernel and ramdisk, if you have one; on LILO you should add something like this in your /etc/lilo.conf

image     = /boot/vmlinuz-4.2
root     = /dev/vgroup/rootfs
label     = linux-4.2
initrd     = /boot/initrd-4.2.gz

Once your system reboot, check your module again.

modinfo nf_tables

modinfo nf_tables

modinfo nf_tables

You should see something similar to the image above, otherwise, try to review menuconfig the steps above and try to mark all netfilter related symbols as modules.

After that, make and install those modules

make modules && make modules install

Install nft tool

Now it is time to install Nftables user-space utility, nft, the replacement for the traditional iptables and its friends, but before we can do that, we need to install the required shared libraries to build nft itself.

GMP - The GNU Multiple Precision Arithmetic Library

Download and extract the package

wget tar Jxvf gmp-*

Build and install

cd gmp* && ./configure && make && make install

libreadline - The GNU Readline Library

You will need this library if you plan to use nft in interactive mode, which is optional not covered here.

Download, extract and enter source tree.

wget && tar zxvf readline* && cd readline*

Configure it to use ncurses, then make and install.

./configure --with-curses && make && make install

libmnl - Minimalistic user-space library for Netlink developers

Download, extact and enter source tree

wget && tar jxvf libmnl-* && cd libmnl-*

Configure, make and install

./configure && make && make install


Download, extract and enter source tree

wget && tar jxvf libnftnl* && cd libnftnl*

Configure make and install.

./configure && make && make install

Build and install nft

Download, extract and enter source tree.

wget && tar jxvf nftables*

Then configure, make and install

./configure && make && make install

Note that you can use --without-cli flag for the configure script, it will disable the interactive command line interface and the need of readline library.

Using nftables

First thing you can do, is to load the basic template tables for IPv4 networking, which can be found on the nft tool source tree, of course you can do it by hand, but remember that it is always a good idea do start simple.

Load IPv4 filter table definitions

nft -f files/nftables/ipv4-filter

Load NAT table

nft -f files/nftables/ipv4-nat

It is a good idea to load also mangle

nft -f files/nftables/ipv4-mangle

Now list your tables

nft list tables

Drop any new packet addressed to this machine

nft add rule filter input ct state new drop

Accept packets that are from ot related to established connections

nft add rule filter input ct state related,established accept

Most Linux systems runs OpenSSH, it is a good idea to accept connections to the TCP port 22, so you can access your SSH service.

nft insert rule filter input tcp port 22 accept

Now list you tables and take a look on how things are going

nft list table filter

Performing Network Address Translation (NAT)

Create a  rule to translate the IP address coming from the network and count it before sending.

nft add rule nat postrouting ip saddr counter masquerade

Take a look at your rules, this time append the '-a' flag to get more details and you will see

nft list table nat -a

Enable forwarding

You will also need to enable IP forwarding on the kernel

sysctl -w net.ipv4.ip_forward=1

To enable forwarding on startup, put the following sentence in the /etc/sysctl.conf file, which may need to be created on some distros.


You can also enable forwarding through the proc filesystem, run the following command to do so and put it at the end of an rc script like rc.local to enable forwarding on startup

echo 1 > /proc/sys/net/ipv4/ip_forward

Saving your tables

To save your settings, just redirect the output of the listing command to an file

Save filter table

nft list table filter -a > /etc/firewall.tables

Now append the nat table, note that we use the '>' two times.

nft list table nat -a >> /etc/firewall.tables

Then append mangle table

nft list table mangle -a >> /etc/firewall.tables

Now you just need to load this file when your system starts

nft -f /etc/firewall.tables


Your Linux machine is now able to serve internet, all you have to do now is to point your Linux machine as gateway for your devices to share your internet. Of course there is a lot of other details and features on nftables, but it should be enough for you to understand the basics, protect your systems, share internet and prepare to say goodbye to iptables and family.


Share This :

Free Linux Ebook to Download

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.