iptables vs nftables: What's the Difference?

Every Linux administrator has surely worked with iptables, the longstanding Linux firewall that has served us well for many years. But you may not yet be familiar with nftables, a newcomer meant to offer us some much-needed upgrades and ultimately replace the aging iptables.

Why nftables instead of iptables?

The nftables is developed by Netfilter, the same organization that currently maintains iptables. It was created as a remedy to the problems with iptables, namely scalability and performance.

Apart from a new syntax and some upgrades, you’ll find that it functions very similarly to its predecessor.

Another justification for a new utility is that the iptables framework has become a little convoluted with iptables, ip6tables, arptables, and ebtables all providing different but similar functions.

For example, it’s simply inefficient to create IPv4 rules in iptables and IPv6 rules in ip6tables and keep the two in sync. Nftables aims to replace all of these and be a centralized solution.

Although nftables has been included in the Linux kernel since 2014, it’s recently gaining more traction as adoption becomes more widespread. Change is slow in the Linux world, and outdated utilities often take a few years or longer to be phased out in favor of their upgraded counterparts.

Nftables is becoming the recommended firewall of choice, and it behooves Linux administrators to update their repertoire. Now is a great time to learn nftables and update your existing iptables configuration.

If you have been using iptables for years and are not too thrilled with the idea of having to learn a brand new utility, don’t worry, we’ve got you covered in this guide. In this article, we will cover the differences between nftables and iptables, and show examples for configuring your firewall rules in the new nftables syntax.

Chains and rules in nftables

In iptables, there are three default chains: input, output, and forward. These three “chains” (and other chains, if you have any configured) hold “rules” and iptables works by matching network traffic to the list of rules in a chain. If the traffic being examined doesn’t match any rule, the chain’s default policy will be used on the traffic (i.e. ACCEPT, DROP).

Nftables works similarly to this, with “chains” and “rules,” as well. However, it doesn’t start out with any base chains, which makes configuration a little more flexible.

One area of inefficiency for iptables is that all network data had to traverse one or more of these aforementioned chains, even if the traffic didn’t match any rules. Whether you had the chains configured or not, iptables still checks your network data against them.

Installing nftables on Linux

Nftables is available in all major Linux distributions and you can easily install it using the package manager of your distributions.

On an Ubuntu or Debian-based distribution, you can use this command:

sudo apt install nftables

To make sure that the nftables starts automatically when your system reboots:

sudo systemctl enable nftables.service

Syntax difference between iptables and nftables

Nftables has a different and much simpler syntax than iptables. Let’s be honest, the iptables syntax was always unclear and took some extra effort to learn. Luckily for those migrating from iptables, nftables still accepts the old syntax.

You can also use the iptables-translate utility, which will accept iptables commands and convert them to the nftables equivalent. This is an easy way to see how the two syntaxes differ.

Install iptables-translate on Ubuntu and Debian-based distribution with this command:

sudo apt install iptables-nftables-compat

Once it’s installed, you can pass your iptables syntax to the iptables-translate command, and it will return the nftables equivalent command.

Let’s see some examples so that you can see how these commands differ from each other.

Block incoming connections

This command would block incoming connections from IP address 192.168.2.1:

linux@handbook:~$ iptables-translate -A INPUT -s 192.168.2.1 -j DROP
nft add rule ip filter INPUT ip saddr 192.168.2.1 counter drop

Allow incoming SSH connections

Let’s look at some more examples – common things that you’d normally find yourself typing into iptables when hardening a Linux server.

linux@handbook:~$ iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
nft add rule ip filter INPUT tcp dport 22 ct state new,established counter accept

Allow incoming SSH connections from specific IP range

If you want to allow incoming SSH connections from 192.168.1.0/24:

linux@handbook:~$ iptables-translate -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
nft add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 22 ct state new,established counter accept

Allow MySQL connections to eth0 network interface

Here’s the syntax for iptables and nftables:

linux@handbook:~$ iptables-translate -A INPUT -i eth0 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
nft add rule ip filter INPUT iifname eth0 tcp dport 3306 ct state new,established counter accept

Allow incoming HTTP and HTTPS traffic

To allow a certain type f traffic, here’s the syntax for both the commands:

linux@handbook:~$ iptables-translate -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp tcp dport { 80,443} ct state new,established counter accept

As you can see from these examples, the syntax is still pretty similar to iptables, but the commands are a little more intuitive.

Logging with nftables

The “counter” option present in the nft command examples above tells nftables to count the number of times a rule is touched, like iptables used to do by default.

In nftables, they are optional and must be specified.

nft add rule ip filter INPUT ip saddr 192.168.2.1 counter accept

Nftables has options built in for exporting your configuration. It currently supports XML and JSON.

nft export xml

Conclusion

In this article, I explained why nftables is the new recommended choice when it comes to Linux firewalls. I have also listed a lot of the differences between the old iptables and the newer nftables, including their functionality and syntax.

This guide has shown you why to consider upgrading to nftables, and how to get started with the new syntax you will need to familiarize yourself with in order to successfully upgrade your old iptables rules.

If you have questions or suggestions, please let me know in the comments.