The nftables framework is the modern firewall subsystem in the Linux kernel, and learning how to nftables configure ubuntu 26.04 systems gives you direct, fine-grained control over network traffic filtering. While UFW provides a simplified frontend, nftables operates at a lower level, offering capabilities such as NAT, port forwarding, and complex rule matching that UFW cannot express. This guide walks you through nftables architecture, rule creation, NAT configuration, and persistence on Ubuntu 26.04.
In this tutorial you will learn:
- How nftables relates to iptables and UFW on Ubuntu 26.04
- How to create tables, chains, and filtering rules with
nft - How to build a complete server firewall ruleset from scratch
- How to configure source NAT (masquerade) and destination NAT (port forwarding)
- How to persist your nftables configuration across reboots
Software Requirements
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Ubuntu 26.04 Resolute Raccoon |
| Software | nftables (nft) 1.1.6+ |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions | # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
nft command to create tables, chains, and rules directly.
| Step | Command/Action |
|---|---|
| 1. Install and enable nftables | sudo apt install nftables && sudo systemctl enable --now nftables |
| 2. Create a filtering table and chains | sudo nft add table inet linuxconfig_filter |
| 3. Add firewall rules | sudo nft add rule inet linuxconfig_filter input tcp dport {22, 80, 443} accept |
| 4. Save rules persistently | sudo nft list ruleset > /etc/nftables.conf |
Understanding nftables on Ubuntu 26.04
nftables is the packet classification framework that replaced iptables in the Linux kernel starting with version 3.13. Ubuntu adopted nftables as its default firewall backend beginning with Ubuntu 20.10, and Ubuntu 26.04 continues this approach. When you run iptables commands on a modern Ubuntu system, they are actually translated to nftables rules behind the scenes through a compatibility layer called iptables-nft.
The relationship between nftables and UFW is straightforward: UFW is a user-friendly frontend that generates nftables rules automatically. For basic port allow/deny scenarios, UFW is sufficient. However, when you need advanced capabilities such as NAT, port forwarding, rate limiting with fine-grained thresholds, custom chain jumping, or packet mangling, working with nftables directly is necessary.
Key advantages of nftables over the legacy iptables include a unified syntax for IPv4 and IPv6 (using the inet family), atomic rule replacement, built-in sets and maps for efficient matching, and a cleaner rule format. Consequently, understanding nftables is essential for advanced firewall administration on Ubuntu 26.04.
IMPORTANT
If UFW is currently active on your system, it manages nftables rules on your behalf. Running both UFW and custom nftables rules simultaneously can lead to conflicts. Disable UFW with sudo ufw disable before configuring nftables directly, or choose one approach for your firewall management.
Installing and Enabling nftables on Ubuntu 26.04
Ubuntu 26.04 includes nftables in the default installation. Nevertheless, if the package is missing or you need to confirm its presence, the following steps ensure nftables is installed and running.
- Install the nftables package: Run the following command to install nftables along with its userspace utility:
$ sudo apt update $ sudo apt install nftables
This installs the
nftcommand-line tool and the systemd service unit. - Enable and start the nftables service: The nftables systemd service loads the ruleset from
/etc/nftables.confat boot:$ sudo systemctl enable --now nftables
This both enables the service for future boots and starts it immediately.
- Verify the nft version: Confirm that the
nftutility is available and check its version:$ nft --version
- Check kernel support: Verify that the nftables kernel modules are loaded:
$ lsmod | grep nf_tables
You should see
nf_tableslisted along with related modules. If no output appears, load the module manually withsudo modprobe nf_tables.
nftables Architecture: Tables, Chains, and Rules
Before creating firewall rules, it is important to understand the three-tier structure that nftables uses to organize packet filtering. This architecture differs significantly from iptables, which has predefined tables and chains.
Tables
A table is the top-level container in nftables. Unlike iptables, where tables like filter, nat, and mangle are predefined, nftables lets you create tables with any name. Each table belongs to an address family that determines which traffic it processes:
| Family | Description |
|---|---|
inet |
Handles both IPv4 and IPv6 traffic (recommended for most use cases) |
ip |
IPv4 traffic only |
ip6 |
IPv6 traffic only |
arp |
ARP traffic |
bridge |
Bridge-level traffic (layer 2) |
For most server and desktop firewalls, the inet family is the best choice because it applies rules to both IPv4 and IPv6 with a single ruleset.
Chains
Chains live inside tables and hold the actual rules. There are two kinds of chains in nftables:
Base chains are attached to a netfilter hook and therefore receive packets from the kernel. When creating a base chain, you specify its type, hook point, and priority. The most common hook points are:
| Hook | Purpose |
|---|---|
input |
Packets destined for the local machine |
output |
Packets originating from the local machine |
forward |
Packets routed through the machine (not for local delivery) |
prerouting |
Packets arriving before routing decisions (used for DNAT) |
postrouting |
Packets leaving after routing decisions (used for SNAT/masquerade) |
Regular chains are not attached to a hook. They serve as jump targets from other chains, functioning similarly to user-defined chains in iptables.
Rules
Rules are the individual match-and-action statements inside a chain. Each rule consists of expressions that match packet properties (source address, destination port, protocol, etc.) followed by a verdict such as accept, drop, reject, or jump. Rules are evaluated in order, and the first matching rule determines the packet’s fate unless the chain has a default policy.
Creating a Basic nftables Firewall Ruleset on Ubuntu 26.04
This section builds a complete server firewall from scratch using nftables on Ubuntu 26.04. The ruleset allows SSH, HTTP, and HTTPS while dropping all other incoming traffic.
- Flush any existing rules: Start with a clean slate by removing all current nftables rules:
$ sudo nft flush ruleset
This removes every table, chain, and rule currently loaded.
- Create the filter table: Create an
inetfamily table that handles both IPv4 and IPv6:$ sudo nft add table inet linuxconfig_filter
- Create the input chain: Add a base chain attached to the
inputhook with a default policy ofdrop:$ sudo nft add chain inet linuxconfig_filter input '{ type filter hook input priority 0; policy drop; }'The
policy dropmeans any packet that does not match an explicit rule will be silently discarded. - Create the forward chain: Add a forward chain, also with a drop policy:
$ sudo nft add chain inet linuxconfig_filter forward '{ type filter hook forward priority 0; policy drop; }' - Create the output chain: Add an output chain with an accept policy to allow all outbound traffic:
$ sudo nft add chain inet linuxconfig_filter output '{ type filter hook output priority 0; policy accept; }' - Allow established and related connections: This critical rule permits return traffic for connections your system initiated:
$ sudo nft add rule inet linuxconfig_filter input ct state established,related accept
- Allow loopback traffic: Local processes communicating via the loopback interface must be permitted:
$ sudo nft add rule inet linuxconfig_filter input iifname "lo" accept
- Allow ICMP: Permit ping and other ICMP messages for network diagnostics:
$ sudo nft add rule inet linuxconfig_filter input ip protocol icmp accept $ sudo nft add rule inet linuxconfig_filter input ip6 nexthdr icmpv6 accept
- Allow SSH, HTTP, and HTTPS: Open the ports for common services using an nftables set:
$ sudo nft add rule inet linuxconfig_filter input tcp dport { 22, 80, 443 } acceptThe curly braces define an anonymous set, allowing you to match multiple ports in a single rule. This is more efficient than creating separate rules for each port.
- Verify the ruleset: List all rules to confirm the configuration:
$ sudo nft list ruleset
SECURITY ALERT
Always add an SSH allow rule before setting the input chain policy to drop on a remote server. If you flush rules and set a drop policy without allowing SSH first, you will lock yourself out immediately. Consider running these commands as a script or within a single nftables configuration file to apply them atomically.
The complete ruleset, when listed with sudo nft list ruleset, should look similar to this:
Managing nftables Rules
Once your firewall is running, you will need to add, modify, and remove rules as your requirements change. The nft command provides several operations for managing rules on Ubuntu 26.04.
Listing Rules
To view all currently loaded rules across all tables:
$ sudo nft list ruleset
To list rules for a specific table only:
$ sudo nft list table inet linuxconfig_filter
To list rules within a specific chain:
$ sudo nft list chain inet linuxconfig_filter input
Using Rule Handles
Rule handles are unique numeric identifiers assigned to each rule. They are essential for inserting rules at specific positions or deleting individual rules. To display handles alongside rules:
$ sudo nft -a list chain inet linuxconfig_filter input
The output includes a # handle N comment after each rule, where N is the handle number.
Adding and Inserting Rules
The add command appends a rule at the end of a chain:
$ sudo nft add rule inet linuxconfig_filter input tcp dport 8080 accept
The insert command places a rule at the beginning of a chain:
$ sudo nft insert rule inet linuxconfig_filter input tcp dport 8443 accept
To insert a rule at a specific position, use a handle reference. For example, to add a rule immediately after handle 7:
$ sudo nft add rule inet linuxconfig_filter input position 7 tcp dport 3306 accept
Deleting Rules
Delete a specific rule by its handle number. First list the handles, then delete:
$ sudo nft -a list chain inet linuxconfig_filter input $ sudo nft delete rule inet linuxconfig_filter input handle 12
Replace 12 with the actual handle number of the rule you want to remove.
Flushing Rules
To remove all rules from a specific chain without deleting the chain itself:
$ sudo nft flush chain inet linuxconfig_filter input
To remove all rules from all chains in a table:
$ sudo nft flush table inet linuxconfig_filter
To flush the entire ruleset (all tables, all chains, all rules):
$ sudo nft flush ruleset
IMPORTANT
Flushing the entire ruleset removes all firewall protections instantly. On a remote server, ensure you have out-of-band access (console, IPMI) before flushing rules, or prepare a replacement ruleset to apply immediately after the flush.
Configuring NAT and Port Forwarding with nftables
Network Address Translation (NAT) is one of the primary reasons administrators choose nftables directly over UFW, which has limited NAT support. nftables handles both source NAT (SNAT/masquerade) for sharing an internet connection and destination NAT (DNAT) for port forwarding.
Enabling IP Forwarding
Before configuring NAT, you must enable IP forwarding in the kernel. This allows the system to route packets between network interfaces:
$ sudo sysctl -w net.ipv4.ip_forward=1
To make this permanent, add or uncomment the following line in /etc/sysctl.conf:
net.ipv4.ip_forward=1
Then apply the change:
$ sudo sysctl -p
Source NAT (Masquerade)
Masquerade is the most common form of source NAT. It rewrites the source address of outbound packets to the address of the outgoing interface, allowing machines on a private network to access the internet through your Ubuntu 26.04 system.
- Create a NAT table:
$ sudo nft add table inet linuxconfig_nat
- Create the postrouting chain: This chain processes packets after the routing decision:
$ sudo nft add chain inet linuxconfig_nat postrouting '{ type nat hook postrouting priority 100; }' - Add the masquerade rule: Replace
eth0with your actual outgoing interface name:$ sudo nft add rule inet linuxconfig_nat postrouting oifname "eth0" masquerade
This rewrites the source address on all packets leaving through
eth0.
Additionally, update the forward chain in your filter table to allow forwarded traffic from the internal network:
$ sudo nft add rule inet linuxconfig_filter forward ct state established,related accept $ sudo nft add rule inet linuxconfig_filter forward iifname "eth1" oifname "eth0" accept
Replace eth1 with your internal-facing interface.
Destination NAT (Port Forwarding)
Destination NAT redirects incoming traffic on a specific port to a different internal host and port. For example, to forward external traffic arriving on port 8080 to an internal server at 192.168.1.100 on port 80:
- Create the prerouting chain: This chain processes packets before the routing decision:
$ sudo nft add chain inet linuxconfig_nat prerouting '{ type nat hook prerouting priority -100; }' - Add the DNAT rule:
$ sudo nft add rule inet linuxconfig_nat prerouting tcp dport 8080 dnat ip to 192.168.1.100:80
- Allow the forwarded traffic: Ensure your forward chain permits this traffic:
$ sudo nft add rule inet linuxconfig_filter forward ip daddr 192.168.1.100 tcp dport 80 accept
Making nftables Rules Persistent on Ubuntu 26.04
By default, nftables rules exist only in memory and are lost after a reboot. The nftables.service systemd unit loads rules from /etc/nftables.conf at boot, so saving your ruleset to this file ensures persistence.
- Export the current ruleset: Write the running configuration to the nftables configuration file:
$ sudo sh -c 'nft list ruleset > /etc/nftables.conf'
The
sh -cwrapper is necessary because the redirect needs root privileges to write to/etc/nftables.conf. - Add the shebang line: The configuration file requires an interpreter directive at the top. Open
/etc/nftables.confand ensure the first line reads:#!/usr/sbin/nft -f
If this line is missing, add it before the table definitions. Additionally, add a
flush rulesetline immediately after the shebang to ensure a clean state on load:#!/usr/sbin/nft -f flush ruleset
- Verify the service is enabled: Confirm the nftables service will start at boot:
$ sudo systemctl enable nftables $ sudo systemctl status nftables
- Test the configuration: Validate the configuration file syntax without applying it:
$ sudo nft -c -f /etc/nftables.conf
The
-cflag performs a dry run, checking for syntax errors without modifying the running ruleset. - Reload the ruleset from file: To apply the saved configuration without rebooting:
$ sudo systemctl restart nftables
Alternatively, load the file directly:
$ sudo nft -f /etc/nftables.conf
COMPLETED
Your nftables firewall configuration is now persistent. The ruleset in /etc/nftables.conf will be automatically loaded every time your Ubuntu 26.04 system boots.
A complete /etc/nftables.conf file combining the filter and NAT rules from this guide looks like this:
#!/usr/sbin/nft -f
flush ruleset
table inet linuxconfig_filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
iifname "lo" accept
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
tcp dport { 22, 80, 443 } accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table inet linuxconfig_nat {
chain postrouting {
type nat hook postrouting priority 100;
oifname "eth0" masquerade
}
chain prerouting {
type nat hook prerouting priority -100;
tcp dport 8080 dnat ip to 192.168.1.100:80
}
}
nftables vs UFW: When to Use Each
Choosing between nftables and UFW depends on your specific requirements. The following comparison helps you decide which approach is appropriate for your Ubuntu 26.04 system.
| Feature | nftables (nft) | UFW |
|---|---|---|
| Complexity | Steeper learning curve, more verbose syntax | Simple, human-readable commands |
| NAT support | Full SNAT, DNAT, masquerade | Limited (requires manual iptables rules in /etc/ufw/before.rules) |
| Port forwarding | Native support | Requires manual configuration |
| IPv4/IPv6 | Unified with inet family |
Managed separately (ip/ip6 rules) |
| Sets and maps | Native support for efficient multi-value matching | Not available |
| Rate limiting | Fine-grained with limit rate |
Basic via ufw limit (fixed at 6 connections in 30 seconds) |
| Application profiles | Not available (manual rule creation) | Built-in application profiles |
| Atomic rule loading | Yes (entire ruleset applied at once) | Rules applied sequentially |
| Best for | Routers, gateways, complex multi-interface setups, advanced filtering | Simple server/desktop firewalls, quick port allow/deny |
In practice, use UFW when you simply need to open or close ports on a single-interface server. Choose nftables when you need NAT, port forwarding, complex routing rules, or multi-interface firewall configurations.
Conclusion
You have learned how to configure nftables on Ubuntu 26.04, from understanding the table-chain-rule architecture to building a complete firewall, configuring NAT and port forwarding, and persisting your rules across reboots. nftables provides the power and flexibility needed for advanced network configurations that go beyond what UFW offers.
Remember to always test rule changes carefully, maintain SSH access rules to avoid lockouts on remote systems, and keep your /etc/nftables.conf file updated after making changes. For further details on nftables syntax and advanced features, consult the official nftables wiki.
Frequently Asked Questions
- Can I use nftables and UFW at the same time? It is technically possible since UFW generates nftables rules, but it is not recommended. UFW manages its own tables and chains, and adding custom nftables rules alongside UFW can create conflicts or unexpected behavior. Choose one approach and use it consistently. If you need nftables features, disable UFW with
sudo ufw disablefirst. - How do I block a specific IP address with nftables? Add a drop rule at the beginning of your input chain targeting the IP address. For example:
sudo nft insert rule inet linuxconfig_filter input ip saddr 203.0.113.50 drop. Usinginsertrather thanaddplaces the rule at the top of the chain, ensuring it is evaluated before any accept rules. - How do I implement rate limiting with nftables? Use the
limit rateexpression within a rule. For example, to limit incoming SSH connections to 3 per minute:sudo nft add rule inet linuxconfig_filter input tcp dport 22 ct state new limit rate 3/minute accept. Packets exceeding the rate fall through to the chain’s default policy, which should bedrop. - Will my nftables rules survive a system reboot? Only if you save them to
/etc/nftables.confand thenftables.serviceis enabled. After making changes, always export the running ruleset withsudo sh -c 'nft list ruleset > /etc/nftables.conf'and ensure the file starts with#!/usr/sbin/nft -fandflush ruleset. - How do I migrate existing iptables rules to nftables? Ubuntu provides the
iptables-translatetool that converts iptables commands to nftables syntax. Runiptables-translatefollowed by your iptables rule to see its nftables equivalent. For example:iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPTproduces the correspondingnftcommand. You can also export entire iptables rulesets withiptables-save | iptables-restore-translate.
PakarPBN
A Private Blog Network (PBN) is a collection of websites that are controlled by a single individual or organization and used primarily to build backlinks to a “money site” in order to influence its ranking in search engines such as Google. The core idea behind a PBN is based on the importance of backlinks in Google’s ranking algorithm. Since Google views backlinks as signals of authority and trust, some website owners attempt to artificially create these signals through a controlled network of sites.
In a typical PBN setup, the owner acquires expired or aged domains that already have existing authority, backlinks, and history. These domains are rebuilt with new content and hosted separately, often using different IP addresses, hosting providers, themes, and ownership details to make them appear unrelated. Within the content published on these sites, links are strategically placed that point to the main website the owner wants to rank higher. By doing this, the owner attempts to pass link equity (also known as “link juice”) from the PBN sites to the target website.
The purpose of a PBN is to give the impression that the target website is naturally earning links from multiple independent sources. If done effectively, this can temporarily improve keyword rankings, increase organic visibility, and drive more traffic from search results.
