Iptables vs Nftables on Centos/RHEL 8

Introduction

nftables will eventually replace iptables as the Linux kernel packet classification framework, more comply referred to as ‘the firewall.’ However, both are still present and will be for a while. So which one should you choose? Iptables vs Nftables, the answer is nftables, at least in the long run. nftables has several advantages, for me, the most important are:

  • The unified rule for IPv4 and IPv6: rules which are independent of IP protocol, such as ‘allow traffic on TCP port 22’ can be written in such a way that a single rule applies to both protocols
  • Increased security and performance: rules get translated into bytecode.
  • Dynamic sets3: changing allow or droplist, and you can do even port mapping without updating the firewall rules themselves

There are also several disadvantages:

  • Maturity: nftables, although very mature already, can still lack some of the features which are standard in iptables, especially when using the version included in stable distributions, more on this later
  • Tooling: many tools exist for iptables. For example, the excellent Shorewall is written explicitly for iptables, although the more powerful syntax of nftables makes using tooling to manage rules less necessary.
  • Documentation: It’s easier to find documentation and examples for iptables than nftables. 

Whether the advantages outway the disadvantages depends on the version of the Linux kernel and the nftables userspace tools used. It’ is integrated into Linux distribution, depending on which version you run. Also, check tutorial for firewalld rhel 8.

Nftable setup

By default, firewalld is present on all Centos/RHEL 8. We have to remove or at least disable the service.

# systemctl disable --now firewalld
# systemctl mask firewalld

Install nftables package

# dnf install nftables

Create a new table for nftable

# nft add table inet filter
# nft list tables
# nft list table inet filter

We will now define a new chain which we will call INPUT. However, the name is not so important as it is the type and hook that define the chain’s function.

# nft add chain inet filter INPUT \
> { type filter hook input priority 0 \; policy accept \; }

# nft list table inet filter
table inet filter {
        chain INPUT {
                type filter hook input priority filter; policy accept;
        }
}

Adding ssh rules Iptables vs Nftables

# nft add rule inet filter INPUT iif lo accept
# nft add rule inet filter INPUT ct state established,related accept
# nft add rule inet filter INPUT tcp dport 22 accept
# nft add rule inet filter INPUT counter drop
# nft list table inet filter
table inet filter {
        chain INPUT {
                type filter hook input priority filter; policy accept;
                iif "lo" accept
                ct state established,related accept
                tcp dport 22 accept
                counter packets 0 bytes 0 drop
        }
}

List filter

# nft list table inet filter
table inet filter {
        chain INPUT {
                type filter hook input priority filter; policy accept;
                iif "lo" accept
                ct state established,related accept
                tcp dport 22 accept
                counter packets 19 bytes 1525 drop
        }
}

Tips and tricks Iptables vs Nftables

Install iptables to the os.

You can translate all iptables commands to nftables

You can also use the iptables-translate utility, accepting iptables commands and converting them to the nftables equivalent—a much easy way to see how the two syntaxes differ.

# iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPT

Allow incoming SSH connections from a specific IP range

# iptables-translate -A INPUT -p tcp -s 192.168.56.0/24 --dport 22 -j ACCEPT

Conclusion

In this post, you can know why upgrade to nftables. Also, see the first steps with the new syntax. Now, you will need to familiarize yourself with to upgrade your old iptables rules successfully.

Neil
Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

You might also likeRELATED

1 DNS server container Podman dirty easy

Introduction Linux distributions. So, what is a DNS? A DNS server is a service that helps resolve a fully qualified domain name (FQDN) into an IP address...

1 Nagios xi server container Fast and Easy

Introduction Provides monitoring of all mission-critical infrastructure components, including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. In addition, hundreds of third-party...

Remote VS Code fast and dirty easy 100%

Introduction Visual Studio Code or VS Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows,...