$ Linux One Liners
Back to lessons

Cybersecurity Triage

Show the nftables Input Chain

You need to inspect the nftables input chain policy and the key accept or drop rules.

Command

nft list ruleset | sed -n '/chain input/,/}/p'

What changed

Nothing changes. nftables prints rules and sed narrows the output to the input chain.

Danger

safe

When to use it

Use when UFW output is not enough or you need to verify the lower-level packet filter shape.

When not to use it

Do not treat a simplified chain excerpt as a complete network policy audit on hosts with multiple tables or namespaces.

Undo or recovery

No undo needed because this command is read-only.

Expected output

The nftables input chain with policy and selected TCP port rules.

demo script

Disposable terminal steps

  1. nft list ruleset
  2. nft list ruleset | sed -n '/chain input/,/}/p'
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ nft list ruleset
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    ct state established,related accept
    iif "lo" accept
    tcp dport 22 ip saddr 203.0.113.0/24 accept
    tcp dport { 80, 443 } accept
    tcp dport 25 accept
    tcp dport 5432 drop
  }
}
::exit-code::0
$ nft list ruleset | sed -n '/chain input/,/}/p'
  chain input {
    type filter hook input priority 0; policy drop;
    ct state established,related accept
    iif "lo" accept
    tcp dport 22 ip saddr 203.0.113.0/24 accept
    tcp dport { 80, 443 } accept
::exit-code::0

YouTube Short

Check the nftables input chain.

When firewall behavior is confusing, inspect the nftables input chain and its default policy.

LinkedIn hook

The packet path was hiding below UFW.

Question: When UFW output is not enough, do you inspect nftables directly?

experiments

A/B tests to run

Metric: watch_time

A: Below UFW.

B: Read the packet filter chain.