Nftables provides firewall support and NAT (Network Address Translation). The Debian operating system comes with nftables firewall installed by default. This Quick Start Guide lists some common nftables commands, enabling system administrators to quickly master the use of nftables.

Installing nftables:

# aptitude install nftables

Enabling nftables:

# systemctl enable nftables.service

Listing current rules:

# nft list ruleset

Deleting all rules:

# nft flush ruleset

Disabling nftables:

# systemctl mask nftables.service

Uninstalling nftables:

# aptitude purge nftables

To allow SSH, HTTP, HTTPS, and ICMP while blocking other inbound traffic, modify the content of /etc/nftables.conf as follows:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # accept any localhost traffic
        iif lo accept

        # accept traffic originated from us
        ct state established,related accept

        # drop invalid packets
        ct state invalid counter drop

        # accept ssh, http, and https
        tcp dport { 22, 80, 443 } accept

        # accept icmp
        ip protocol icmp accept

        # count and reject everything else
        counter reject with icmpx type admin-prohibited
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }

}

For more information, refer to the official nftables documentation.

https://wiki.debian.org/nftables