“nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014. nftables is supposed to replace certain parts of netfilter, while keeping and reusing most of it."


edit /etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		# accept any localhost traffic
		iif lo accept
		# accept traffic originated from us
		ct state established,related accept
		# drop invalid packets
		ct state invalid counter drop
		# accept ssh, http, and https
		tcp dport { 22, 80, 443, 8080 } accept
		# accept icmp
		ip protocol icmp drop
		# count and reject everything else
		counter reject with icmpx type admin-prohibited

	chain forward {
		type filter hook forward priority 0; policy drop;

	chain output {
		type filter hook output priority 0; policy accept;