Introduction
nftables will eventually replace iptables as the Linux kernel packet classification framework, more comply referred to as ‘the firewall.’ However, both are still present and will be for a while. So which one should you choose? Iptables vs Nftables, the answer is nftables, at least in the long run. nftables has several advantages, for me, the most important are:
- The unified rule for IPv4 and IPv6: rules which are independent of IP protocol, such as ‘allow traffic on TCP port 22’ can be written in such a way that a single rule applies to both protocols
- Increased security and performance: rules get translated into bytecode.
- Dynamic sets3: changing allow or droplist, and you can do even port mapping without updating the firewall rules themselves
There are also several disadvantages:
- Maturity: nftables, although very mature already, can still lack some of the features which are standard in iptables, especially when using the version included in stable distributions, more on this later
- Tooling: many tools exist for iptables. For example, the excellent Shorewall is written explicitly for iptables, although the more powerful syntax of nftables makes using tooling to manage rules less necessary.
- Documentation: It’s easier to find documentation and examples for iptables than nftables.
Whether the advantages outway the disadvantages depends on the version of the Linux kernel and the nftables userspace tools used. It’ is integrated into Linux distribution, depending on which version you run. Also, check tutorial for firewalld rhel 8.
Nftable setup
By default, firewalld is present on all Centos/RHEL 8. We have to remove or at least disable the service.
# systemctl disable --now firewalld
# systemctl mask firewalldInstall nftables package
# dnf install nftables
Create a new table for nftable
# nft add table inet filter
# nft list tables
# nft list table inet filter
We will now define a new chain which we will call INPUT. However, the name is not so important as it is the type and hook that define the chain’s function.
# nft add chain inet filter INPUT \
> { type filter hook input priority 0 \; policy accept \; }
# nft list table inet filter
table inet filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
}
Adding ssh rules Iptables vs Nftables
# nft add rule inet filter INPUT iif lo accept
# nft add rule inet filter INPUT ct state established,related accept
# nft add rule inet filter INPUT tcp dport 22 accept
# nft add rule inet filter INPUT counter drop
# nft list table inet filter
table inet filter {
chain INPUT {
type filter hook input priority filter; policy accept;
iif "lo" accept
ct state established,related accept
tcp dport 22 accept
counter packets 0 bytes 0 drop
}
}
List filter
# nft list table inet filter
table inet filter {
chain INPUT {
type filter hook input priority filter; policy accept;
iif "lo" accept
ct state established,related accept
tcp dport 22 accept
counter packets 19 bytes 1525 drop
}
}
Tips and tricks Iptables vs Nftables
Install iptables to the os.
You can translate all iptables commands to nftables
You can also use the iptables-translate utility, accepting iptables commands and converting them to the nftables equivalent—a much easy way to see how the two syntaxes differ.
# iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPT
Allow incoming SSH connections from a specific IP range
# iptables-translate -A INPUT -p tcp -s 192.168.56.0/24 --dport 22 -j ACCEPT
Conclusion
In this post, you can know why upgrade to nftables. Also, see the first steps with the new syntax. Now, you will need to familiarize yourself with to upgrade your old iptables rules successfully.
