ebtables-nft - Linux


ebtables-nft is a command-line utility that manages network packet filtering rules using the Netfilter framework within the Linux kernel. It enables the configuration and manipulation of connection tracking tables, providing enhanced control over network traffic.


ebtables-nft [--version] [--help] [--list] [-t table] [--timeout] [--table table] [--tos value] [--nat table] [--uid value] [--gid value] [--inverse]
                [-m protocol] [-p protocol] [--protocol value] [--source-ip value] [--destination-ip value] [--target target] [--add] [--delete]
                [--flush] [--delete-by-handle handle] [--delete-by-uid value] [--delete-by-gid value] [--delete-by-dst-ip value] [--delete-by-src-ip value]
                [--delete-by-src-port value] [--delete-by-dst-port value]


  • –version: Display version information.
  • –help: Show usage information.
  • –list: List available tables.
  • -t table: Specify the table to modify (e.g., filter).
  • –timeout: Display table timeouts.
  • –table table: Select the table to filter on (e.g., filter).
  • –tos value: Match on IP Type of Service (ToS) value.
  • –nat table: Select the table for manipulating NAT rules.
  • –uid value: Match on user ID (UID).
  • –gid value: Match on group ID (GID).
  • –inverse: Invert the match logic.
  • -m protocol: Specify the protocol to match on (e.g., tcp, udp).
  • -p protocol: Synonym for -m protocol.
  • –protocol value: Specify the protocol to match on by number or name.
  • –source-ip value: Match on the source IP address.
  • –destination-ip value: Match on the destination IP address.
  • –target target: Specify the target to jump to.
  • –add: Add a new rule.
  • –delete: Delete a rule.
  • –flush: Delete all rules from a table.
  • –delete-by-handle handle: Delete a rule by its handle.
  • –delete-by-uid value: Delete rules by UID.
  • –delete-by-gid value: Delete rules by GID.
  • –delete-by-dst-ip value: Delete rules by destination IP.
  • –delete-by-src-ip value: Delete rules by source IP.
  • –delete-by-src-port value: Delete rules by source port.
  • –delete-by-dst-port value: Delete rules by destination port.


  • List available tables:

    ebtables-nft --list
  • Add a rule to filter packets based on source IP:

    ebtables-nft --table filter --add --protocol ipv4 --source-ip --jump ACCEPT
  • Delete a rule based on the destination port:

    ebtables-nft --table filter --delete-by-dst-port 80
  • Flush all rules from the filter table:

    ebtables-nft --table filter --flush

Common Issues

  • Incorrect syntax: Ensure you are following the correct syntax and using valid options.
  • Table not found: Verify that the specified table exists using --list.
  • Permission denied: Ensure you have sufficient permissions to modify the specified table.


ebtables-nft can be used with other commands for advanced network filtering. For example:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
ebtables-nft -t broute -A BROUTING -o eth0 -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT

Related Commands

  • iptables-nft: Manage firewall rules.
  • nft: The next-generation Netfilter command-line utility.
  • netstat: Display network statistics and connections.