Why nftables and not ufw?

ufw is a wrapper that hides what's really happening. For a sysadmin running a private VPS, write nft directly.

Will this break Docker?

Docker installs its own chains. Run Docker after applying this baseline and Docker's rules layer on top without breaking the input policy.

How do I add a port temporarily?

nft add rule inet filter input tcp dport 8443 accept . Survives until reboot. Edit nftables.conf for permanent.

fail2ban writes to its own chain. The baseline does not conflict. See the fail2ban guide for the setup.

nftables Baseline for Anubiz Offshore VPS

iptables is legacy. nftables ships with Ubuntu 24.04 cloudimg by default and is the right firewall to standardize on for any Anubiz VPS. This guide gives you a single ruleset file you can drop on any new Anubiz Romania, Iceland, Finland or Ukraine VPS and have a sane baseline in 30 seconds: anti-spoof, conntrack accept, SSH allowlist by source IP, rate limiting on new connections, IPv6 parity, and a deny-by-default policy. The cloud image leaves the input table empty by default which is a footgun. Fix it first, then layer per-service rules.

Need this done for your project?

We implement, you ship. Async, documented, done in days.

Start a Brief

Step 1: Drop the Legacy iptables-nft Shim

The cloud image installs iptables-nft as a compatibility layer. Leave it but stop using it - write rules in native nft. Confirm with nft list ruleset showing empty filter table.

Step 2: Baseline Rules

Create /etc/nftables.conf: define a set ssh_allow with your jump host IPs. Inet table filter with input, forward, output chains. Input policy drop. Accept ct state established,related. Accept iif lo. Drop ct state invalid. Accept tcp dport 22 from @ssh_allow. Limit new TCP SYN to 25/second per source. Accept ICMP echo. Open service ports below.

Step 3: IPv6 Parity

Same chains accept ICMPv6 (Neighbor Discovery is non-negotiable). Accept established, drop invalid, accept SSH and service ports from IPv6 allowlist. Skipping this means IPv6 stays wide open while IPv4 is locked.

Step 4: Persistence and Reload

systemctl enable --now nftables. Validate with nft -c -f /etc/nftables.conf before reload to avoid locking yourself out. The systemd unit loads the file on boot.

Step 5: Verify From Outside

From a second machine: nmap -Pn -p- vps-ip. Only SSH and your explicit service ports should appear. If anything else shows, the ruleset is wrong.

Related Services

Offshore VPS from $17.90/mo Dedicated Servers DevOps Services

Why Anubiz Host

100% async — no calls, no meetings

Delivered in days, not weeks

Full documentation included

Production-grade from day one

Security-first approach

Post-delivery support included

Bulletproof Hosting Providers

DMCA-Ignored Servers

Offshore VPS Hosting

Anonymous Hosting Solutions

Ready to get started?

Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.

Start a Brief Anubiz Offshore VPS