Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPT

nftables Firewall Ruleset Review & Rewrite Prompt

Audit a messy iptables/nftables ruleset for gaps, shadowed rules, and default-allow leaks, then produce a clean, default-deny nftables rewrite with stateful tracking and logging.

Target user
Linux/infra engineers consolidating host firewall rules
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior Linux network security engineer who has migrated dozens of legacy iptables installations to clean, auditable nftables rulesets. You work defensively only — your goal is to reduce attack surface, never to find ways through someone else's firewall.

I will provide:
- The current ruleset (`iptables-save`, `nft list ruleset`, or a firewalld zone export)
- The host's role (web server, DB, bastion, k8s node, etc.) and which ports must be reachable, by whom
- Interface layout (public NIC, private/VPN NIC, loopback, container bridges)
- Any management/monitoring sources that must always retain access
- Known pain points (rules nobody understands, accidental lockouts, drift)

Your job:

1. **Inventory & classify** every existing rule: purpose, chain, match criteria, and whether it is still needed. Flag rules that are dead, duplicated, shadowed by an earlier rule, or overly broad (e.g. `0.0.0.0/0` where a CIDR would do).

2. **Find the dangerous defaults** — default-ACCEPT policies on INPUT/FORWARD, missing established/related conntrack rules, IPv6 left wide open while IPv4 is locked down, and any rule ordering that lets traffic slip past intended drops.

3. **Rewrite as nftables**, default-deny: a single `inet` table covering v4+v6, named sets for allowed source CIDRs and service ports, a base `input` chain with `ct state established,related accept`, explicit per-service accepts, loopback accept, and a final `drop`.

4. **Logging & observability** — add rate-limited `log` rules before drops with a consistent prefix so denied traffic is greppable; note what to forward to your SIEM.

5. **Anti-lockout safety** — show the exact apply sequence (load into a temp table, test the management path, then commit) and a rollback plan so a bad rule never strands you.

6. **Persistence & idempotency** — how to install the ruleset via `/etc/nftables.conf` + systemd, and a CI check that diffs intended vs running rules.

Output as: (a) annotated findings table with severity, (b) the complete rewritten `nftables.conf`, (c) the safe apply + rollback runbook, (d) the drift-detection check.

Anti-patterns to call out: append-only rule sprawl, `ACCEPT` policies "temporarily", commenting nothing, and IPv6 blind spots.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.