nftables: Modern replacement for `iptables`

Nftables: The Modern Replacement for iptables

In the evolving landscape of Linux network management, nftables is rapidly becoming the preferred choice over the older iptables. This switch is fueled by the desire for more efficient, easy-to-manage, and flexible firewall configurations. Below, we discuss what makes nftables standout, how you can transition from iptables, and provide a step-by-step guide on how to install nftables using various package managers.

What is nftables?

Nftables is a subsystem of the Linux kernel, providing firewall/natting and packet filtering capabilities. It was introduced as part of the Linux 3.13 kernel and is intended to replace the legacy iptables service. It offers a simplified, consistent syntax and a single framework for both IPv4 and IPv6 protocols. Key features include:

Improved Performance: Nftables uses a more efficient in-kernel bytecode interpreter which enhances both speed and security.
Simpler Syntax: It offers a more straightforward syntax and better structured command lines, making the rules easier to maintain and understand.
Enhanced Flexibility: Nftables integrates with the Netfilter framework which supports various protocols, providing a more flexible rule set.

Transitioning from iptables to nftables

Transitioning is fairly straightforward. Most distributions come with a translation tool called iptables-translate and ip6tables-translate that will help you convert your iptables rules to nftables rules. However, it's often a good opportunity to review and optimise your existing rules as you make the switch.

Installing Nftables

Here's how you can install nftables on various Linux distributions:

Debian/Ubuntu (Using apt)

For Debian-based distributions like Ubuntu, you can install nftables using apt. First, update your package list:

sudo apt update

Then install nftables:

sudo apt install nftables

Fedora (Using dnf)

On Fedora, the dnf package manager is used for installations. First, ensure your packages are up-to-date:

sudo dnf makecache

Then, install nftables:

sudo dnf install nftables

openSUSE (Using zypper)

For openSUSE, zypper is the package manager. Start by refreshing the repository information:

sudo zypper refresh

Then install nftables:

sudo zypper install nftables

Configuring nftables

Once installed, you can begin configuring your rules. Nftables configurations are stored in /etc/nftables.conf. Here’s a simple example to get you started:

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # Accept any localhost traffic
        iif lo accept

        # Accept traffic originated from us
        ct state established,related accept

        # Accept incoming SSH connections
        tcp dport 22 accept
    }
}

This basic configuration sets up a default drop policy for incoming connections, while allowing localhost traffic, established connections, and SSH on port 22.

Managing nftables

To start, stop, and check the status of nftables, use:

sudo systemctl start nftables
sudo systemctl stop nftables
sudo systemctl status nftables

To enable nftables to start at boot:

sudo systemctl enable nftables

Nftables offers a robust and modern framework for managing your network traffic with ease and efficiency. Whether you're a novice interested in setting up a secure system or an experienced admin in need of a powerful toolset, nftables provides the capabilities required to manage complex tasks through straightforward commands and configurations. Making the switch may seem daunting at first, but the long-term benefits in performance and manageability are well worth the effort.