This project contains a script called
nftablesctl which can start
nftables up by adding certain rules defined in
nft scripts and shut it down by clearing and deleting all chains and tables for every protocol.
nft scripts you want to apply in
/etc/nftables/ and make sure they have
.rules as file extension. Usually there are already some example scripts in this directory shipped with the distribution package. You can copy these to end with
.rules and edit them as a starting point.
To load all your scripts, you can use
To clear all the rules, use
Restarting is also possible:
to list all rules:
When you run
nftablesctl start --confirm or
nftablesctl restart --confirm from a terminal, it will apply your rules and ask you to check your network connection. When your network is still working as desired, you have 20 seconds to press Ctrl+C to leave your rules applied. When the timeout expires,
nftablesctl stop will be called in order to flush all rules and make your network accessable again. This should prevent you from locking yourself out from your (remote) machine accidently by applying flawed rules.
Copy the supplied systemd service file to
/etc/systemd/system/ to be able to run
nftablesctl as a service, e.g. at boot time.
systemctl status|start|stop|restart|enable|disable nftables