Replace iptables with nftables



  • It seems that iptables is being replaced with nftables (it's standard in Debian 10)

    https://wiki.debian.org/nftables

    Should I replace an iptables firewall with a nftables one?
    Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.
    Please read: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
    Why a new framework?
    The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..
    What are the major differences?

    • In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.
    • Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.
    • nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.
    • In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.
    • This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.


  • Thanks for the info. We in fact want to move to ufw instead. It seems most users are more comfortable with ufw and not iptables which is too low level.



  • @girish I don't expect that to take too much time too, UFW's backend is iptables so really just sorting out the UFW cli / api should be relatively simple****



  • @girish Is it happening? Was looking to customize some settings but I'm not touching iptables.


Log in to reply