"nftables" and "nft" on CentOS

This section provides a tutorial example on how to use 'nftables' daemon and 'nft' CLI to manage network firewall on CentOS 8 systems.

The best tool to manage the network firewall on CentOS systems is the "firewall-cmd" frontend tool. But if you want to use the backend tool, you can follow this tutorial to use the "nftables" daemon and "nft" command.

1. Make sure that I have the latest version of "nftables" installed with the "dnf info" command:

herong$ sudo dnf info nftables

Installed Packages
Name         : nftables
Epoch        : 1
Version      : 0.9.0
Release      : 14.el8
Architecture : x86_64
Size         : 848 k
Source       : nftables-0.9.0-14.el8.src.rpm
Repository   : @System
From repo    : anaconda
Summary      : Netfilter Tables userspace utilities
URL          : http://netfilter.org/projects/nftables/
License      : GPLv2
Description  : Netfilter Tables userspace utilities.

2. Make sure that "nftables" service is running with the "systectl status" command:

herong$ sudo systemctl status nftables
nftables.service - Netfilter Tables
   Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled;
           vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:nft(8)

herong$ sudo systemctl enable nftables
Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service ...

herong$ sudo systemctl start nftables

herong$ sudo systemctl status nftables
nftables.service - Netfilter Tables
  Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; ...
  Active: active (exited)
    Docs: man:nft(8)
 Process: 5226 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
Main PID: 5226 (code=exited, status=0/SUCCESS)

3. List all rule tables with the "nft" command.

herong$ sudo nft list tables

table ip filter
table ip6 filter
table bridge filter
table ip security
table ip raw
table ip mangle
table ip nat
table ip6 security
table ip6 raw
table ip6 mangle
table ip6 nat
table bridge nat
table inet firewalld
table ip firewalld
table ip6 firewalld

4. List all rules in the "ip/firewalld" table with the "nft" command.

herong$ sudo nft list table ip firewalld | more

table ip firewalld {
  chain nat_PREROUTING {
    type nat hook prerouting priority -90; policy accept;

  chain nat_PREROUTING_ZONES {
    iifname "virbr0" goto nat_PRE_libvirt
    iifname "eno1" goto nat_PRE_public
    goto nat_PRE_public

  chain nat_POSTROUTING {
    type nat hook postrouting priority 110; policy accept;

    oifname "virbr0" goto nat_POST_libvirt
    oifname "eno1" goto nat_POST_public
    goto nat_POST_public

  chain nat_PRE_public {

As you can see, the syntax of firewall security rules used by "nft" is more complicated than the "firewall-cmd".

Table of Contents

 About This Book

 Introduction to Linux Systems

 Cockpit - Web Portal for Administrator

 Process Management

 Files and Directories

 Users and Groups

 File Systems

 Block Devices and Partitions

 LVM (Logical Volume Manager)

 Installing CentOS

 SELinux - Security-Enhanced Linux

Network Connection on CentOS

 Setup Ethernet Connection on CentOS

 Network Firewall Tools on CentOS

 "firewalld" and "firewall-cmd" on CentOS

 Manage Multiple Firewall Zones

"nftables" and "nft" on CentOS

 "iptables" Command on CentOS

 "nmap" - Network Mapper on CentOS

 Monitor Network Services on CentOS

 "ifconfig" - Trace Routes to Remote Host

 "traceroute" - Trace Routes to Remote Host

 "route" - Upate Routing Table

 "netstat" - Display Network Statistics

 "lsof" - List of Open Files

 Internet Networking Tools

 SSH Protocol and ssh/scp Commands

 Software Package Manager on CentOS - DNF and YUM

 vsftpd - Very Secure FTP Daemon

 LDAP (Lightweight Directory Access Protocol)

 Administrative Tasks


 Full Version in PDF/EPUB