nftables is a common packet filtering and firewall rule management tool on Linux. If you only need device access control, traffic counters, port matching, or basic rate limiting, you do not need to learn the entire rule system at once. Start with three concepts:
table: a container for rules.chain: where rules are evaluated, usually attached to a hook.rule: the actual matching condition and action.
This article outlines a minimal workflow that is suitable for testing first in a safe environment.
Basic Structure
Prepare a few variables first. The following commands reuse them:
|
|
Create an inet table that supports both IPv4 and IPv6:
|
|
Then create a chain attached to the forward stage:
|
|
Here, type filter means this is a filtering rule chain, and hook forward means it processes forwarded packets.
Common Matching Methods
Match by source IP. This is usually useful for the upload direction:
|
|
Match by destination IP. This is usually useful for the download direction:
|
|
When matching by MAC address, ether saddr can be used to control upstream traffic:
|
|
Note that in networks involving bridging, forwarding, or address translation, downstream packets may not always be reliably filtered by destination MAC. For device access control, start by validating ether saddr or IP-based rules first.
To match ports, you can cover both TCP and UDP:
|
|
To match a port range, use a comparison expression:
|
|
Count Traffic for One Device
If you only want to count upload and download traffic for an IP address, use counter return. After a match, it records the counter and returns, which can reduce further matching overhead when more statistic rules exist later.
|
|
View the statistics:
|
|
If you need to see the handle for each rule, add -a:
|
|
handle is important because nftables usually relies on it to delete a single rule.
Basic Rate Limiting
Rate limiting can be done with limit rate over. For example, limit traffic over a specified rate by MAC address:
|
|
Here, mbytes and kbytes can be understood as the usual M and K units. You do not need to manually multiply by 8. In practice, start with a more relaxed value, confirm the matching direction and effect, then tighten it if needed.
Delete and Clean Up Rules
First list rules with handle values:
|
|
Then delete a rule by handle:
|
|
Flush a chain:
|
|
Delete a chain:
|
|
Delete the entire table:
|
|
During daily debugging, only clean up the table you created yourself. Avoid directly changing tables automatically generated by the system or other services. This makes rollback easier even if a rule is written incorrectly.
Usage Notes
When using nftables, it is often safer to create your own independent table and chain first. This has two benefits:
- Your rules are less likely to mix with existing system rules.
- Debugging, flushing, and deletion are safer.
After writing rules, always use nft list chain to check actual matching behavior. MAC, interface, port, and rate-limit rules may behave differently across devices, bridge setups, and system versions. Small-scope testing is safer than writing complex rules all at once.