Ubuntu

How to Install nftables on Ubuntu 26.04, 24.04 and 22.04

Install nftables on Ubuntu 26.04, 24.04, and 22.04 with APT, then configure firewall rules, service checks, SSH safety, and removal.

PublishedAuthorJoshua JamesRead time8 minGuide typeUbuntu
Ubuntu logo with nftables firewall rule flow showing allowed, rejected, and dropped traffic

Direct firewall control is useful when UFW feels too limited, especially on servers that need precise IPv4 and IPv6 rules, counters, or a ruleset you can review as one file. To install nftables on Ubuntu, use the distro package named nftables, then load your persistent rules through the packaged nftables.service unit.

Ubuntu 26.04, 24.04, and 22.04 all package the nft userspace utility and a disabled-by-default systemd service. The safer path is to install or verify the package first, build a ruleset that keeps remote access open, check the syntax, and only then enable the service.

Install nftables on Ubuntu

Many Ubuntu systems already include nftables because it is a standard package from Ubuntu’s main repository. Start with a version check so you know whether the nft command is already available.

Check for nftables on Ubuntu

nft --version

Ubuntu 26.04 currently reports output similar to this:

nftables v1.1.6 (Commodore Bullmoose #7)

Ubuntu 24.04 and 22.04 show older nftables version strings, which is normal for their release branches. If the shell reports that nft is missing, install the package with APT.

Update Ubuntu Before Installing nftables

Refresh package metadata from the enabled APT sources before installing or reinstalling the package.

sudo apt update

These commands use sudo for package and firewall tasks that need root privileges. If your user is not in the sudoers file yet, use the root account or add the user to sudoers on Ubuntu first.

Install nftables with APT

Install the Ubuntu package. If it is already present, APT confirms that the current package is installed and leaves the system unchanged.

sudo apt install nftables

Verify the nftables Service on Ubuntu

The package installs /usr/sbin/nft, /etc/nftables.conf, and nftables.service. On a fresh install, the service is usually disabled and inactive until you configure and enable it.

nft --version
systemctl is-enabled nftables.service
systemctl is-active nftables.service

Expected service state before activation:

nftables v1.1.6 (Commodore Bullmoose #7)
disabled
inactive

The version line changes by Ubuntu release. The important part is that the nft command exists and the service is not yet enforcing a custom ruleset.

Configure nftables Firewall Rules on Ubuntu

Use one firewall manager for the same host ruleset. Ubuntu’s nftables security documentation notes that UFW works through the iptables compatibility tools, so running UFW and native nftables rules at the same time can create confusing or unsafe rule interactions.

Check for Active UFW Rules on Ubuntu

Check UFW before enabling native nftables. If UFW is active, recreate the needed allow rules in /etc/nftables.conf, then disable UFW only after you have a tested replacement.

if command -v ufw >/dev/null; then
    sudo ufw status
else
    echo "ufw is not installed"
fi

Typical output when UFW is present but not enforcing rules:

Status: inactive

If you prefer a simpler interface for host firewall rules, stay with UFW firewall configuration on Ubuntu instead of managing native nft syntax directly.

Back Up the Current nftables Configuration

Save the package’s current configuration before replacing it. This gives you a quick rollback file if a rule blocks access or the service fails to reload.

sudo cp /etc/nftables.conf /etc/nftables.conf.backup

Write a Basic nftables Firewall for Ubuntu

If you are connected through SSH, confirm the correct SSH port before enabling this ruleset. The example allows 22/tcp. Replace that port before activation if your SSH service uses a custom port; the guide to enable SSH on Ubuntu covers listener checks and firewall access.

Replace /etc/nftables.conf with a conservative host firewall. It accepts loopback traffic, established connections, ICMP and ICMPv6, DHCP client replies for systems that receive network settings dynamically, and inbound SSH on port 22. New inbound traffic that does not match a rule is dropped.

sudo tee /etc/nftables.conf >/dev/null <<'EOF'
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority filter; policy drop;

        iifname "lo" accept
        ct state established,related accept

        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept

        udp sport 67 udp dport 68 accept
        udp sport 547 udp dport 546 accept

        tcp dport 22 accept

        counter drop
    }

    chain forward {
        type filter hook forward priority filter; policy drop;
    }

    chain output {
        type filter hook output priority filter; policy accept;
    }
}
EOF

The DHCP rules keep IPv4 and IPv6 lease renewal working on hosts that depend on dynamic addressing. The final counter drop rule is not required for dropping packets because the chain policy already drops unmatched inbound traffic. It adds packet and byte counters so you can see traffic that reached the end of the input chain.

Test the nftables Configuration on Ubuntu

Check the ruleset syntax without applying it. The -c option validates the file and exits before changing the live firewall.

sudo nft -c -f /etc/nftables.conf && echo "nftables syntax OK"

Expected output from a valid file:

nftables syntax OK

Enable nftables on Ubuntu

Enabling a default-deny firewall over SSH can lock you out if the active SSH port is missing from the ruleset. Keep a provider console, local console, or another recovery path available before activating new firewall rules on a remote server.

Enable and start the service after the syntax check passes. The service loads /etc/nftables.conf during startup and reloads the same file later.

sudo systemctl enable --now nftables.service

Confirm the service is enabled and active:

systemctl is-enabled nftables.service
systemctl is-active nftables.service
enabled
active

nftables.service is a oneshot service with RemainAfterExit, so active means the ruleset loaded successfully and systemd is tracking the service as active.

List the Active nftables Ruleset

Review the live ruleset after activation so you can confirm the file loaded as expected.

sudo nft list ruleset

Relevant output from the ruleset above includes:

table inet filter {
    chain input {
        type filter hook input priority filter; policy drop;
        iifname "lo" accept
        ct state established,related accept
        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept
        udp sport 67 udp dport 68 accept
        udp sport 547 udp dport 546 accept
        tcp dport 22 accept
        counter packets 0 bytes 0 drop
    }
}

Open Additional Ports with nftables on Ubuntu

Persistent rules belong in /etc/nftables.conf. One-off commands such as sudo nft add rule ... can be useful while testing, but they disappear after a service reload unless you also save them in the configuration file.

The nftables wiki quick reference is useful when you need deeper syntax, but most host-firewall edits combine a protocol, optional source address, destination port, and verdict. Add persistent rule lines inside the input chain before the final counter drop, then validate and reload the file.

Each short block shows the new rule followed by the existing final counter drop line to make placement clear. Keep one final drop rule in the chain instead of duplicating it after every service rule.

Allow HTTP and HTTPS with nftables

For a web server, add the HTTP and HTTPS rule inside the input chain before the final counter drop rule.

        tcp dport { 80, 443 } accept
        counter drop

That rule opens TCP ports 80 and 443 only. If your web server also uses a separate UDP service, such as a QUIC listener, add a separate UDP rule for that port instead of assuming the TCP rule covers it.

Limit a Service to a Trusted Network with nftables

For private admin panels, databases, or monitoring ports, restrict the source network instead of opening the service to every address. Replace the subnet and port with values that match your network.

        ip saddr 192.168.1.0/24 tcp dport 5432 accept
        counter drop

This rule matches IPv4 clients from 192.168.1.0/24 only. For IPv6 services, add a separate ip6 saddr rule with your trusted IPv6 prefix.

Allow UDP Services with nftables

UDP services need their own rules because TCP and UDP are different protocols. A WireGuard listener on port 51820 would use this line:

        udp dport 51820 accept
        counter drop

If a host intentionally runs a service that listens on both TCP and UDP, such as DNS on port 53, add one rule for each protocol.

        tcp dport 53 accept
        udp dport 53 accept
        counter drop

Log Dropped Packets with nftables

When troubleshooting blocked traffic, add a rate-limited log rule immediately before the final drop counter. Keep the limit low on public servers because drop logging can become noisy.

        limit rate 5/minute counter log prefix "nft-drop: " drop
        counter drop

The logging rule records a small sample of packets that would otherwise reach the default drop path. Packets beyond the rate limit still reach the final counter drop rule.

Allow a Custom SSH Port with nftables

If OpenSSH listens on a custom port, change the SSH rule before enabling or reloading the firewall. Replace 2222 with the real port.

        tcp dport 2222 accept

Keep the old and new SSH ports allowed during a migration only if both listeners are intentionally reachable. After confirming the new port works from a separate terminal, remove the old SSH rule and reload the service.

Reload nftables After Editing Rules

Validate the file first, then reload the service so systemd applies the same persistent configuration it will load at boot.

sudo nft -c -f /etc/nftables.conf
sudo systemctl reload nftables.service

Check the active ruleset again after the reload:

sudo nft list ruleset

Manage nftables on Ubuntu

After activation, normal management is split between APT for package updates, systemd for persistence, and nft for inspecting the live ruleset.

Check nftables Status on Ubuntu

Use narrow status checks for routine confirmation, then list tables or the full ruleset when you need rule details.

systemctl is-active nftables.service
sudo nft list tables

Expected output with the example ruleset active:

active
table inet filter

Update nftables on Ubuntu

Ubuntu delivers nftables updates through normal APT upgrades. For a targeted package refresh, update metadata and upgrade only the installed nftables package.

sudo apt update
sudo apt install --only-upgrade nftables

Disable nftables Without Removing It

Stopping nftables.service runs nft flush ruleset, which removes the current native nftables ruleset. Do this only when another firewall layer protects the host or when you intentionally want to remove host-level filtering.

Disable the service when you want to keep the package installed but stop loading /etc/nftables.conf at boot.

sudo systemctl disable --now nftables.service

Confirm the service no longer starts automatically:

systemctl is-enabled nftables.service
systemctl is-active nftables.service
disabled
inactive

Remove nftables from Ubuntu

Keeping the package installed and disabling the service is usually cleaner than removing nftables, especially because Ubuntu treats it as part of the standard package set. Remove the package only when you have chosen another firewall path and reviewed the APT transaction.

APT may remove the ubuntu-standard metapackage when removing nftables. That does not remove every standard package, but it can affect future package-set expectations. Review the package list before confirming removal.

Stop the service first, then remove the package. Keep --autoremove out of this command unless you have reviewed the simulated removal list, because APT can include unrelated packages that were already marked as autoremovable.

sudo systemctl disable --now nftables.service
sudo apt remove nftables

Verify that the package is no longer installed:

dpkg -l nftables 2>/dev/null | grep '^ii' || echo "nftables is not installed"
nftables is not installed

apt remove can leave the package-owned /etc/nftables.conf conffile behind. Purge the package only when you want that conffile removed too.

Purging removes the package-owned /etc/nftables.conf file. Save any custom rules you might reuse before removing configuration files.

sudo apt purge nftables

If you purged the package, confirm the package-owned conffile is gone:

test ! -e /etc/nftables.conf && echo "nftables conffile removed"
nftables conffile removed

Troubleshoot nftables on Ubuntu

Most nftables problems fall into four buckets: the package is missing, the command lacks root privileges, the configuration file has a syntax error, or the service is not enabled to load rules after reboot.

Fix nft Command Not Found on Ubuntu

If the shell cannot find nft, the package is missing or the current environment has an unusual PATH.

bash: nft: command not found

Install the package, then rerun the version check.

sudo apt update
sudo apt install nftables
nft --version

Fix Operation Not Permitted with nftables

Listing or changing the kernel firewall ruleset requires root privileges. Without sudo, nft can fail with this message:

Operation not permitted (you must be root)

Repeat the command with sudo when it reads or changes firewall state.

sudo nft list ruleset

Fix nftables Syntax Errors on Ubuntu

A misplaced semicolon, brace, statement, or rule order can stop the service from loading. A syntax check points to the line and token that failed.

/etc/nftables.conf:9:71-76: Error: syntax error, unexpected policy, expecting newline or semicolon
table inet bad { chain input { type filter hook input priority filter policy drop; } }
                                                                      ^^^^^^

Validate the file after every edit. Only reload the service after the check exits cleanly.

sudo nft -c -f /etc/nftables.conf

Fix nftables Rules Missing After Reboot

Rules loaded with direct nft add commands are live-only unless you save them in /etc/nftables.conf. Rules in the file also need nftables.service enabled at boot.

systemctl is-enabled nftables.service

If the output is disabled, enable the service and confirm the active ruleset.

sudo systemctl enable --now nftables.service
sudo nft list ruleset

Recover After Blocking SSH with nftables

If a remote server stops accepting SSH after a firewall reload, use the provider console, local console, or rescue access. Restore the backup file or disable the service, then fix the missing allow rule before trying again.

sudo cp /etc/nftables.conf.backup /etc/nftables.conf
sudo nft -c -f /etc/nftables.conf
sudo systemctl reload nftables.service

If you only need emergency access restored, disable the service from the console and rebuild the ruleset later.

sudo systemctl disable --now nftables.service

Conclusion

nftables is now installed and ready to load a persistent host firewall from /etc/nftables.conf. Keep UFW and native nft rules separate, test every edit with sudo nft -c -f, and leave a recovery path open whenever remote access depends on the firewall you are changing.

Share this guide

Help another Linux user troubleshoot faster

Share this guide with someone troubleshooting Linux systems or saving it for later.

BlueskyRedditXTumblrFacebookLinkedIn
Follow LinuxCapable

Want more LinuxCapable guides in Google?

Add LinuxCapable as a preferred source so Google can show more of our fresh Linux tutorials in Top Stories and From your sources when relevant.

Add LinuxCapable as a preferred source on Google
Search LinuxCapable

Need another guide?

Search LinuxCapable for package installs, commands, troubleshooting, and follow-up guides related to what you just read.

Found this guide useful?

Support LinuxCapable to keep tutorials free and up to date.

Buy me a coffeeBuy me a coffee
Before commenting, please review our Comments Policy.
Formatting tips for your comment

You can use basic HTML to format your comment. Useful tags currently allowed in published comments:

You type Result
<code>command</code> command
<strong>bold</strong> bold
<em>italic</em> italic
<blockquote>quote</blockquote> quote block

Got a Question or Feedback?

We read and reply to every comment - let us know how we can help or improve this guide.

Verify before posting: