Why can't close the port 80 with nftables?

Question

I want to close port 80 in localhost.

sudo nft add rule inet  filter input tcp dport 80 drop

To check with nmap:

sudo nmap  -p 80   127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2021-05-02 05:16 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds

Why can't close the port 80?

sudo nft list ruleset
table inet filter {
    chain input {
        type filter hook input priority 0; policy accept;
        iif "lo" accept comment "Accept any localhost traffic"
        iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
        tcp dport { http } ct state established,new drop
        tcp dport http drop
    }

    chain forward {
        type filter hook forward priority 0; policy accept;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

Now insert it with:

sudo nft insert rule inet  filter input tcp dport 80 drop
sudo nmap  -p 80   127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2021-05-02 08:29 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up.

PORT   STATE    SERVICE
80/tcp filtered http

Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds

Answer 1

The order of the rules is important: if an earlier rule matches a packet and says that it should be accepted, a later rule cannot override that decision. You must either take care to insert the rule blocking the traffic before any rule that will accept it, or delete a previous rule that is currently accepting the traffic, if applicable.

By default, nft add will add a new rule to the tail end of the specified rule chain, unless you explicitly specify that the rule is to be inserted after a specific existing rule. To add rules to the beginning of the chain, before any existing rule, you would need to use nft insert instead.