Search Our Database

How to Safely Migrate from iptables-legacy to nftables

Last updated on |
under
Firewall, iptables, Networking & Security
|
by

Introduction

Linux firewall management has evolved significantly over the years, with iptables being the traditional standard for configuring packet filtering rules. However, with the introduction of the nftables framework in Linux kernel 3.13 and beyond, a more modern and efficient alternative is now available. As of recent Linux distributions—such as Debian 10+, Ubuntu 20.04+, and CentOS/RHEL 8+—nftables is often the default firewall backend.

This guide explains how to safely migrate from iptables-legacy to nftables, covering key compatibility concerns, toolchains, and best practices for preserving firewall rules during the transition. It is particularly useful for system administrators managing production servers, cloud infrastructure, or Linux-based firewalls.

The migration process must be handled carefully to avoid disruptions in traffic filtering, VPN connections, NAT configurations, or service availability. Both iptables and nftables operate at the kernel level, and misconfiguration during the switch can inadvertently disable critical network policies.

By the end of this guide, readers will be able to:

  • Identify the active firewall backend.
  • Convert iptables rules to nftables syntax.
  • Switch to the iptables-nft backend safely.
  • Enable and manage nftables services and rules.

 

Prerequisites

  • Linux distribution with kernel version 3.13 or newer.
  • Root or sudo privileges.
  • iptablesiptables-nft, and nftables installed.
  • Backups of iptables rules using iptables-save and ip6tables-save.
🖊️ Tip: Use a test environment or staging server before applying changes in production.

 

 

Step-by-step Guide

Step 1: Check the Current iptables Backend

Run the following commands to see which version of iptables is currently in use:

sudo update-alternatives --display iptables

Output will indicate whether the system is using iptables-legacy or iptables-nft.

 

Step 2: Backup Existing iptables Rules

Before making any changes, export current rules:

sudo iptables-save > ~/iptables-backup.rules
sudo ip6tables-save > ~/ip6tables-backup.rules

Keep these files secure in case rollback is necessary.

 

Step 3: Install nftables if Not Already Installed

For Debian-based systems:

sudo apt update
sudo apt install nftables

For RHEL-based systems:

sudo dnf install nftables

 

Step 4: Convert iptables Rules to nftables Syntax

Install the iptables-nft compatibility tool (if not already present):

sudo apt install iptables-nftables-compat
sudo iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPT

Use iptables-translate to convert rules manually:

sudo iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPT

This will output the equivalent nft syntax. For full rule sets, consider using a migration script or rebuild policies in nftables.conf.

 

Step 5: Switch to iptables-nft Backend

Change the default iptables implementation to use nftables:

sudo update-alternatives --set iptables /usr/sbin/iptables-nft
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
Verify the change:
sudo update-alternatives --display iptables
⚠️ Important Note: Switching to nftables will break compatibility with applications or scripts depending on iptables-legacy unless rules are ported.

 

Step 6: Enable nftables Service

Once migration is confirmed, enable the nftables service:

sudo systemctl enable nftables
sudo systemctl start nftables

To check the active ruleset:

sudo nft list ruleset

 

Step 7: Verify Docker and System Compatibility

Docker and other tools may rely on legacy iptables chains. Confirm Docker still functions properly:

sudo docker run hello-world

If Docker fails, consider using iptables-legacy specifically for Docker via:

sudo update-alternatives --set iptables /usr/sbin/iptables-legacy

 

 

Conclusion

Migrating from iptables-legacy to nftables enhances firewall performance, modernizes rule syntax, and ensures compatibility with current Linux distributions. This guide provides a safe approach to assess, back up, convert, and activate nftables while minimizing downtime or service disruption.

Admins should test firewall rules thoroughly and validate compatibility with services like Docker or VPN software after migration. For advanced use cases, consider automating rule sets using nftables.conf and integrating firewall configurations into system provisioning tools like Ansible.

Should you have any inquiries about the guidelines, please feel free to open a ticket through your portal account or contact us at support@ipserverone.com. We’ll be happy to assist you further.

Related Article

Related Posts