nftables DDoS Protection Rule Generator
Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications NEW
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services Compliance NEW
Home/Tools/nftables Rule Generator

Free Tool

nftables DDoS Protection Rule Generator

Generate modern nftables rulesets for Linux DDoS protection. nftables replaces iptables with better performance, atomic rule updates, and a cleaner syntax.

Protections

SYN Flood Protection
Rate limit new TCP connections with meters
Limit:/sec per IP
UDP Flood Protection
Rate limit UDP traffic per source
Limit:/sec per IP
ICMP Limiting
Prevent ping floods and ICMP abuse
Limit:/sec
Connection Tracking
Drop invalid states, accept established
Global Rate Limiting
Overall new connection rate limit
Limit:/sec total
Blackhole Set
Named set for dynamically blocking IPs
Port Filtering
Only allow specific service ports
nftables-ddos.conf
Select your protections and click Generate Rules to create your nftables ruleset.
Warning: Always test nftables rules before applying to production. Use nft -c -f nftables.conf to check syntax without applying. Keep out-of-band access available. On systemd systems, rules persist via /etc/nftables.conf and systemctl enable nftables.

nftables vs iptables - Why Migrate?

Featureiptablesnftables
Atomic rule replacementNo (rule-by-rule)Yes (entire ruleset)
Performance at scaleLinear matchingOptimized set lookups
IPv4 + IPv6 unifiedSeparate commandsinet family handles both
Named sets/mapsRequires ipsetBuilt-in
Kernel APILegacy xtablesModern nf_tables
SyntaxFlat CLI flagsStructured, readable
Tracing/debuggingLimitedBuilt-in trace support
Distro default (2024+)Being deprecatedDefault in most distros

Protect your infrastructure with Flowtriq

Detect DDoS attacks in under 1 second. Classify attack types automatically. Get instant alerts.

Start your free trial →
Export your results