Most major Linux distributions have adopted nftables as their default firewall framework, often using it under the hood for iptables commands. Here are some of the key distributions that support nftables:
- Debian: Starting with Debian Buster, nftables is the default backend for iptables.
- Ubuntu: From Ubuntu 20.10 (Groovy Gorilla) onwards, nftables is included and can be used as the default firewall framework.
- Fedora: Fedora has integrated nftables and uses it as the default firewall framework.
- Arch Linux: Arch Linux includes nftables and provides packages for easy installation and configuration.
- Red Hat Enterprise Linux (RHEL): RHEL 8 and later versions use nftables as the default packet filtering framework.
Let’s examine a fresh installed Ubuntu 24.04 LTS on an RPI:
What is
iptables -V
telling me ?
┌──$(root㉿raspi24n)-[/]
└─# iptables -V
iptables v1.8.10 (nf_tables)
The system does not use the legacy iptables framework, instead it uses the nf_tables version of iptables which provides a bridge to the nftables infrastructure/framework.
to complete the knowledge we check the symbolic link of iptables:
┌──$(root㉿raspi24n)-[/]
└─# ls -al /usr/sbin/iptables
lrwxrwxrwx 1 root root 26 Apr 8 2024 /usr/sbin/iptables -> /etc/alternatives/iptables
└─# ls -l /etc/alternatives/iptables
lrwxrwxrwx 1 root root 22 Aug 27 16:29 /etc/alternatives/iptables -> /usr/sbin/iptables-nft
Iptables-nft ruleset appears in the rule listing of nftables.
Is iptables-nft and nftables then the same ? No, but they share the infrastructure of nftables.
Here’s how they work together:
Compatibility Layer
iptables-nft: This is a variant of iptables that uses the nftables kernel API. When you use iptables commands, they are translated into nftables rules by this compatibility layer. This allows you to continue using familiar iptables commands while benefiting from the advanced features of nftables.
iptables-legacy: This is the traditional iptables that directly interacts with the kernel’s iptables API. If you use iptables-legacy, it operates independently of nftables and does not translate rules into nftables format.
Interaction
Rule Management: When you use iptables-nft, the rules you create are managed by nftables under the hood. This means that nftables takes precedence, and the rules are stored in the nftables ruleset.
Kernel API: Both iptables-nft and nftables use the same kernel API for packet filtering. This ensures that the packet matching and filtering behavior is consistent, regardless of which tool you use to create the rules.
Coexistence: If you use both iptables-legacy and nftables, they can coexist, but it’s generally recommended to stick with one framework to avoid conflicts and ensure consistency.
Best Practices
Transition to nftables: If you’re starting fresh or looking to modernize your firewall management, transitioning to nftables is recommended. It offers better performance, more features, and a simpler syntax.
Use iptables-nft: If you prefer using iptables commands, use the iptables-nft variant to take advantage of nftables’ capabilities while maintaining familiarity with iptables syntax.
By understanding how iptables and nftables interact, you can make informed decisions about managing your firewall rules and ensure a smooth transition to nftables.
Check out the official nftables wiki: http://wiki.nftables.org/