Implementing Per-User Firewall Rules on AlmaLinux 8 Using nftables

Overview

Most Linux firewall guides focus on system-wide rules for services or ports. However, in multi-user or multi-tenant environments, administrators often need per-user network restrictions—for example:

• Restricting a non-root user from accessing the internet

• Allowing only certain users to access internal services

• Controlling traffic for development, QA, or sandbox accounts

AlmaLinux 8 supports per-user firewalling via nftables, the successor to iptables, yet this topic is rarely documented online.

This tutorial demonstrates how to implement user-level firewall rules safely and efficiently.

Why Per-User Firewalling Matters

• Limit blast radius for compromised accounts

• Enforce strict multi-tenant security

• Monitor and control application-specific network traffic

• Reduce risk in shared servers or hosting environments

Prerequisites

• AlmaLinux 8

• Root or sudo access

• nftables installed (default)

• Basic knowledge of Linux networking

Check nftables version:

nft --version

Step 1: Enable nftables

systemctl enable nftables
systemctl start nftables

Verify:

nft list ruleset

Step 2: Create a Base Table

nft add table inet user_filter

• inet family supports both IPv4 and IPv6

• user_filter is the table name

Step 3: Add Base Chains

Create input and output chains:

nft add chain inet user_filter input { type filter hook input priority 0 \; }
nft add chain inet user_filter output { type filter hook output priority 0 \; }

Step 4: Restrict Specific User

Example: block user devuser from all outbound connections:

nft add rule inet user_filter output oifname != lo uid 1001 drop

• oifname != lo → Exclude loopback

• uid 1001 → Target devuser (check UID: id devuser)

• drop → Deny all network traffic

Step 5: Allow Exceptions

Allow devuser to access only internal subnet:

nft add rule inet user_filter output uid 1001 ip daddr 192.168.10.0/24 accept

This ensures devuser can only reach the internal network while all other traffic is blocked.

Step 6: Apply Logging (Optional)

Log dropped packets for auditing:

nft add rule inet user_filter output uid 1001 drop log prefix "USER-FIREWALL: " level info

Step 7: Persist Rules

nft list ruleset > /etc/nftables.conf

Ensure nftables loads rules on boot (default in AlmaLinux 8):

systemctl enable nftables

Step 8: Testing

Switch to the restricted user:

sudo -u devuser ping 8.8.8.8

• Should fail for external addresses

• Should succeed for allowed internal subnet

Check logs:

journalctl -t USER-FIREWALL

Step 9: Remove Per-User Rule (Reversible)

nft delete rule inet user_filter output handle <rule-handle-number>

Check rule handle numbers:

nft list ruleset

Advanced Use Cases

• Restrict multiple users simultaneously

• Limit traffic to specific ports (tcp dport 80 accept)

• Apply rate limiting per user

• Combine with systemd services for auto-enforcement

Security Best Practices

• Always whitelist loopback (lo)

• Combine with SELinux for extra isolation

• Test in staging before production

• Document UID-specific rules

• Monitor logs for unauthorized traffic attempts

Conclusion

Per-user firewalling in AlmaLinux 8 using nftables allows fine-grained, user-level network control.
This technique is particularly useful in multi-tenant environments, development servers, and hardened production systems.

Despite being a powerful feature, per-user firewalling is rarely documented in public tutorials, making this guide highly valuable for IT professionals.