ConfigClarityFix GuidesNFTABLES Fix Guides › nftables Setup on Ubuntu 22.04

Fix: nftables Setup on Ubuntu 22.04

Ubuntu 22.04 uses nftables as the backend for iptables by default. The iptables command maps to iptables-nft. Direct nftables configuration provides better performance for complex rulesets.

Basic nftables ruleset — /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    ct state established,related accept
    iif lo accept
    tcp dport { 22, 80, 443 } accept
    icmp type echo-request accept
  }
  chain forward {
    type filter hook forward priority 0; policy drop;
  }
  chain output {
    type filter hook output priority 0; policy accept;
  }
}
sudo systemctl enable nftables && sudo systemctl start nftables

Common nftables errors on Ubuntu 22.04

Error: Could not process rule: No such file or directory

This appears when nftables tries to load a ruleset that references a table or chain that doesn't exist yet. Usually caused by running nft -f /etc/nftables.conf before the base tables are created.

# Fix: flush and reload from scratch
sudo nft flush ruleset
sudo systemctl restart nftables
sudo nft list ruleset

Error: UFW rules not working after switching to nftables

On Ubuntu 22.04, UFW uses nftables as its backend. If you previously had iptables rules, they won't carry over. Check which backend UFW is actually using:

# Check UFW backend:
sudo ufw status verbose
sudo nft list tables
# Look for: inet ufw6 — confirms UFW is using nftables

# If UFW rules are missing, reset and re-apply:
sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Error: Docker containers accessible despite UFW deny rules

Docker uses iptables for container networking even on Ubuntu 22.04 where UFW uses nftables. The two systems don't interact — Docker's iptables rules bypass UFW's nftables rules entirely. This is not a UFW bug, it's an architectural conflict.

# Verify Docker is using iptables (even on nftables Ubuntu):
sudo iptables -L DOCKER --line-numbers

# The fix — bind container ports to localhost:
# In docker-compose.yml:
# ports:
#   - "127.0.0.1:8080:80"  # NOT "8080:80"

Verify nftables is running correctly

# Check service status:
sudo systemctl status nftables

# List all active rules:
sudo nft list ruleset

# Check UFW is using nftables backend:
sudo nft list tables | grep ufw

# Test a specific port is blocked:
sudo nft list ruleset | grep -A2 "drop|reject"

Related: nftables and Docker conflict fix  ·  UFW nftables backend explained  ·  Docker UFW bypass fix

Audit your UFW and nftables rules for Docker bypass risk and missing default-deny on Ubuntu 22.04.

Open Firewall Auditor →

Related Glossary Terms