Questions tagged as ['nftables']

packet filtering framework, userspace utility and compatibility layer for {ip,ip6}tables, developed as consolidated replacement for existing {ip,ip6,arp,eb}tables frameworks
Score: 0
How to add ipvs rule to nftables?
gb flag

I want to do the equivalent of

iptables -t nat -A POSTROUTING -m ipvs --vaddr -j MASQUERADE

in nftables. The nftables wiki says ipvs is supported, but

add rule ip nat POSTROUTING ipvs vaddr masquerade

does not work. All other variations I have tried do not work either... When I add the rule using iptables and list all rules using nft, I get

vaddr counter packets 0 bytes 0 ma ...
Score: 1
What is UDP Masquerading behavior when forwarding and listening on the same port to the same remote address?
cn flag

Assuming the following:

||netns2|<-kernel routing-> netnsRoot| <-network routing-> |remote server| 


  • is a network namespace
  • has a client that connects to the UDP server on UDP/5060


  • is the root network namespace (IE: typical linux routing)
  • has a client that connects to the UDP server on UDP/5060
  • Has ip_forward enabled and has a Masquerade rule for netns2


  • Onl ...
Score: 0
nobody avatar
nftables natting with source IP
in flag

I have a server in a datacenter which is a Proxmox server. On the server (one of many, they are in a Proxmox cluster) I am hosting various VM's.

Services on the VM's are exposed through iptables (using ufw) natting like the following example:

-A PREROUTING -i eno1 -p tcp -d <public_ip> --dport 21 -j DNAT --to-destination <local_ip>:<port>
-A PREROUTING -i eno1 -p tcp -d <public_ip ...
Score: 0
How to open up traffic for ip protocol ESP via iptables?
in flag

I have been researching and wasn't able to find a definitive answer to the equivalent of below:

apt install nftables
nft add rule inet filter input ip protocol esp counter accept

in iptables?

Is it as simple as doing this below or is there more to it?

sudo iptables -A INPUT -p 50 -j ACCEPT
sudo iptables -A INPUT -p 51 -j ACCEPT


Score: 1
nftable produce unexpected message in syslog
de flag

I have the following nftables rule: log prefix "[nftables] output denied1: " ip daddr reject

in syslog i can see the message: [nftables] output denied1: IN= OUT=br0 SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=540 PROTO=ICMP TYPE=0 CODE=0 ID=2 SEQ=60848

Now i wonder how it is possible? In the syslog message there is DST=, but the rule shouldn't be used for  ...

Score: 0
How to Accelerate Firewalld or should it be abandoned for nftables instead?
de flag

We have a problem where we set up a server running a service and it is capable of hundreds of simultaneous connections on port 3535 (arbitrarily assigned for this application). We have firewalld running on this near-end-host allowing connections from the far-end host and that is all working fine. The problem we ran into is the far-end-host is only able to establish a few connections at a time and it i ...

Score: 2
iptables flushed on firewalld reload
br flag

I’m running on Rocky Linux (RHEL8 based) and am kind of struggling with firewalld and iptables. Well, not really iptables anyway… Let me explain.

I setup a K8S cluster on VMWare ESXi with six virtual machines, all the same. I need to have firewalld running, given this environment. I’m using Weave CNI, which is using iptables in order to create its networking rules.

Here are my initial findings: ...

Score: 3
Ricain avatar
NFTABLE issue: IPv6 does not behave like IPv4 with mirror config
sm flag

I have an issue with IPv6 on my server. I have nginx configured to listen on port 443 from IPv4 and IPv6. And it works great: my webiste is available form Internet with TLS enabled.

Things get complicated when I activate nftables: when I am accessing my website from IPv4 it works, but when I access it from IPv6 connections time out :(

Output of sudo nft list ruleset:

table inet filter {
        chain INP ...
Score: 2
iptables/nftables: how to exclude all forwarded traffic from connection tracking on a router?
ua flag

A Linux box has multiple network interfaces. IP forwarding is enabled for IPv4 and IPv6.

I would like to protect the services running on the router itself via a stateful firewall. For that, connection tracking needs to be enabled. At the same time, I would like to exclude all traffic that is forwarded from one interface to another from connection tracking.

For the stateful firewall, I would typical ...

Score: 0
S. Dev avatar
Migrating iptables "recent" module to nftables
cn flag

I'm looking for some help migrating some old iptables rules onto a system that is only using nftables.

iptables rules:

iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 30 --hitcount 10 --name test --mask --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --set --name test --mask --rsource

The nftables wiki suggests using S ...

Score: 0
nftables loopback connections not working in CentOS 7
ru flag

I have removed firewalld and installed nftables in CentOS 7 (kernel 3.10.0-1160.42.2.el7.x86_64). My ruleset is as follows:

# nft list ruleset

table ip my_table {
        set ssh_evils {
                type ipv4_addr

        set sip_evils {
                type ipv4_addr

        set dialers {
                type ipv4_addr

        set sip_origins {
Score: 0
nftables read counters as non-root user
in flag

I have set up some firewall rules using nftables. They include some data counters for some types of traffic that I'm interested to monitor.

Now, I'd like to be able to have an application read those counters, ideally using libnftnl, running as a non-root user. But, initial testing with nft indicates that I can't read nftables counters as a non-root user.

As root:

$ nft list counter my_table my_counter
ta ...
Score: 0
How to redirect DNS request to a remote systemd-resolved?
ve flag

I was trying to make system-resolved as a remote DNS caching server (I know it is not intended to do so). I added the changed the net.ipv4.conf.br0.route_localnet to 1 and added the following nftable rules:

table ip nat {
    chain prerouting {
        type nat hook prerouting priority 100; policy accept;
        iif "br0" udp dport 53 counter packets 6 bytes 366 dnat to

    chain ...
Score: 1
TPROXY interferes DNAT port forwarding rules
in flag

I'm setting up TPROXY on my VyOS router to forward certain traffic to a local transparent proxy. It works pretty well, until I discovered that all of my DNAT port forwarding rules are no longer working (connection timeout when connecting from external network).


  • Router: (Proxy is running on 1234 port and adding SO_MARK with 0xff)
  • Internal Host: (Port 80 should be expo ...
Score: 0
kittygirl avatar
`bad-setting (Reason: Unit nftables.service has a bad unit file...` when add `/etc/systemd/system` conf to nftables
us flag

System is debian 10 with nftables.
I plan to make nftalbes auto restart when failed,script as below:

cat << EOF >> /etc/systemd/system/nftables.service.d/override.conf

systemctl daemon-reload

Output shows bad-setting:

systemctl status nftables.service

nftables.service - nftables
   Loaded: bad-setting (Reason: Unit nftables.service has  ...
Score: 1
Hosni avatar
how to set mtu on specfic udp connection?
cn flag

is there iptables target to fragment packets, let say i have packet with length 1280 i want to split this packet into smaller 5 packets with maximum length equal 250 , is it possible to use firewall in linux (nftables, iptables) to fragment packet or is there a way in general ?

can i use virtual interface with maximum mtu of 250 and let it deal with udp connection ? if it possible how to do that

Score: 1
kittygirl avatar
How to block network connection to all `root` process?
us flag

My system is debian 10 with nftables.
output of nethogs as below:

? root 
? root 
? root 
? root 
? root 
? root 
? root ...
Score: 0
kittygirl avatar
Lots's of ` kernel: [ ] output chain dropped: IN= OUT=enp0s31f6 ` in `/var/log/messages`
us flag

I already disble ipv6 in mypc debian 10 system,firewall is nftable.
When I check /var/log/messages,lots of kernel: [ ] output chain dropped as below:

Jul 13 11:03:14 mypc kernel: [ 8206.745775] output chain dropped: IN= OUT=enp0s31f6 SRC=fe80:0000:0000:0000:cad3:ffff:fe6e:e23b DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=248793 PROTO=ICMPv6 TYPE=133 CODE=0 UID=0 GID= ...
Score: 1
keeplearningtogether avatar
nftables - limit rate behavior (error or misusage ?)
nl flag

I am trying to set up a firewall with nftables but I failed to understand and implement a simple rate limit based on the documentation I have found.

  • OS : Ubuntu 20.04 LTS
  • nftables version : 0.9.3 (Topsy)
  • kernel release: 5.8.0-53-generic

I have built the test firewall with the below sequence of commands:

nft 'add table inet testnetwork'
nft 'add chain inet testnetwork INPUT { type filter hook input prior ...
Score: 0
Remapping overlapping VPN Ranges (including DNS)
in flag

I have the following scenario, with a VPN connecting two companies together there is some overlap in the used private subnets.

So the solution I was trying to achieve is to remap the remote subnets to locally unused subnets.

e.g. 192.168.5.x => 10.100.3.x

There is also the issue with DNS name resolution, yet all remote vpn related DNS entries should be under some common DNS root (like external.examp ...

Score: 2
configure my linux as a router, how do enable port forwarding with nftables?
au flag

I'm trying to configure my Gentoo Linux as a router.

this is my configuration so far.

WAN NIC is enp3s0 and LAN NIC is enp1s0f0

accepting connections to ICMP, tcp ports 53, 22, 80, 443, 445, 5900 and udp ports 53,67,68 from LAN

accepting connection from SSH port 22 from WAN

these work great, what I failed to do is create port forwarding.

I am trying to set up that if a connection on port 222 comes in from ...

Score: 0
manabreak avatar
nftables forwarding from wlan0 to eth0, but nothing happens
cn flag

I have a Raspberry Pi that's connected to a wireless router with wlan0, and there's a server that's connected to the eth0. Both these connections work fine.

The eth0 between Pi and the server is statically configured so that Pi's eth0 has IP and the server has IP Pi's wlan0 has IP of

Now, I'm trying to do forwarding so that when connecting Pi's por ...