Hi there, fellow Linux fans and system administrators! We’re going to learn a lot about Linux firewalls today. Are you on the fence about whether to stick with the old iptables or switch to the newer nftables? You’re in for a treat. Get your favorite coffee or tea, and let’s figure this out together.
Getting to Know Our Audience
Let’s talk about you first. This guide is for you if you’re a seasoned Linux administrator who wants to stay up to date, a DevOps worker who wants to make your system run more smoothly, or a tech fan who wants to learn more about network security. We’ll break down complicated ideas, show you how they work in real life, and tell you when to use each tool.
From iptables to nftables: How Linux Firewalls Have Changed Over Time
iptables: The Trusted Veteran
Think about the early 2000s. People liked flip phones; the internet had that weird dial-up sound; and iptables was the newest Linux firewall.
Iptables quickly replaced the old ipchains as the best tool for filtering packets in Linux. It works with the Linux kernel’s Netfilter system to give users a way to handle firewall rules in user space.
Let me give you the lowdown on iptables:
- The rules are organized using tables such as filter, nat, and mangle.
- The tables consist of various chains such as INPUT, OUTPUT, and FORWARD.
- The fate of network packets is determined by the rules in these chains.
A basic iptables rule looks something like this:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
This rule permits incoming SSH connections. It’s pretty straightforward, isn’t it? Well, that’s not always the case. As networks became increasingly intricate, certain drawbacks of iptables started to become apparent.
Introducing nftables: The Modern Contender
Jump ahead to 2014. Introducing nftables with Linux kernel 3.13, the Netfilter project (yes, the same team behind iptables) makes its mark. Imagine it as a major upgrade to iptables, with a complete revamp behind the scenes.
nftables seeks to overcome the limitations of iptables by offering a more efficient and adaptable framework. Here’s what drives its functionality:
- A fresh and user-friendly syntax
- An all-inclusive engine that supports IPv4, IPv6, ARP, and various other protocols
- Enhanced rule processing for improved efficiency
- Improved functionality for updating dynamic rulesets
Now, let’s examine the SSH rule in nftables:
nft add rule ip filter input tcp dport 22 accept
It appears more organized, doesn’t it? However, the advantages extend far beyond mere syntax. Now, let’s explore some practical examples to witness these tools in action.
Real-World Scenarios: Comparing iptables vs nftables in Practical Situations
Scenario 1: Establishing a Firewall for a Web Server
Images yourself being assigned the responsibility of ensuring the security of a fresh web server. It is necessary to enable HTTP, HTTPS, and SSH traffic while restricting all other forms of communication. Now, let’s observe how each tool manages this situation.
Using iptables:
# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback and established connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH, HTTP, and HTTPS
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Log and drop other traffic
iptables -A INPUT -j LOG --log-prefix "DROPPED: "
iptables -A INPUT -j DROP
Using nftables:
# Create table and chain
nft add table ip filter
nft add chain ip filter input { type filter hook input priority 0 \; policy drop \; }
# Allow loopback and established connections
nft add rule ip filter input iif lo accept
nft add rule ip filter input ct state established,related accept
# Allow SSH, HTTP, and HTTPS
nft add rule ip filter input tcp dport { 22, 80, 443 } accept
# Log and drop other traffic
nft add rule ip filter input log prefix \"DROPPED: \"
nft add rule ip filter input drop
See how nftables enables us to group multiple ports in a single rule? That’s only a glimpse into its versatility. For a basic ruleset like this, there won’t be a significant impact on performance. As your ruleset expands, the efficiency of nftables’ rule processing engine becomes increasingly apparent.
Scenario 2 : Redirecting Traffic from a Game Server
Consider the scenario where you have a Minecraft server that is protected by a firewall. An internal server at 192.168.1.100 needs to have port 25565 forwarded from the outside.
Using iptables:
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# NAT rule for port forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25565 -j DNAT --to-destination 192.168.1.100:25565
# Allow forwarded traffic
iptables -A FORWARD -i eth0 -p tcp --dport 25565 -d 192.168.1.100 -j ACCEPT
Using nftables:
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Create nat table and prerouting chain
nft add table ip nat
nft add chain ip nat prerouting { type nat hook prerouting priority -100 \; }
# NAT rule for port forwarding
nft add rule ip nat prerouting iif eth0 tcp dport 25565 dnat to 192.168.1.100:25565
# Allow forwarded traffic
nft add rule ip filter forward iif eth0 ip daddr 192.168.1.100 tcp dport 25565 accept
Although both do the same thing, nftables makes the distinction between NAT and filtering rules more apparent. When dealing with complicated setups that include several port forwarding, this becomes quite useful.
Scenario 3: Using Rate Limiting to Prevent DDoS Attacks
DDoS assaults are rather annoying, don’t they? Let’s secure our web server by implementing a rate limitation. Twenty inbound TCP connections will be allowed per second.
Using iptables:
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp --dport 80 -m recent --name HTTP --set
iptables -A INPUT -p tcp --dport 80 -m recent --name HTTP --update --seconds 1 --hitcount 20 -j DROP
Using nftables:
nft add rule ip filter input tcp dport 80 ct state new limit rate 20/second accept
nft add rule ip filter input tcp dport 80 drop
Notice how much easier the nftables version is to use? Not only is it simpler to write, but it is also simpler to quickly comprehend. But the advantages go beyond ease of reading. Because nftables’ rule processing engine is more efficient than iptables’, it can handle complicated rate-limiting situations and huge traffic volumes with minimal overhead.
Scenario 4: Geoblocking with Dynamic IP Sets
Say you run a service that people in the US and Canada are the only ones who can use. You want to block traffic from all other countries. This is where nftables’ built-in set support really shines.
Using iptables:
This requires ipset, which is a separate tool:
# Create and populate the IP sets
ipset create us hash:net
ipset create ca hash:net
for ip in $(wget -qO- https://www.ipdeny.com/ipblocks/data/countries/us.zone); do ipset add us $ip; done
for ip in $(wget -qO- https://www.ipdeny.com/ipblocks/data/countries/ca.zone); do ipset add ca $ip; done
# Use the sets in iptables rules
iptables -A INPUT -m set --match-set us src -j ACCEPT
iptables -A INPUT -m set --match-set ca src -j ACCEPT
iptables -A INPUT -j DROP
Using nftables:
# Create and populate the sets
nft add table ip filter
nft add set ip filter allowed_countries { type ipv4_addr\; flags interval\; }
nft add element ip filter allowed_countries { 1.0.0.0/8, 2.0.0.0/8, ... } # US and Canada IP ranges
# Use the set in a rule
nft add rule ip filter input ip saddr @allowed_countries accept
nft add rule ip filter input drop
nftables makes it easier to handle and change blocked IP ranges by putting set management right into its code. This unified method not only makes management easier, but it also improves speed, especially when working with large IP sets.
Scenario 5: Filtering at the Application Layer
Let’s take it a step further and prohibit web scraping by banning particular user agents.
Using iptables:
The string match module is necessary for this task:
iptables -A INPUT -p tcp --dport 80 -m string --string "BadBot" --algo bm --to 700 -j DROP
Using nftables:
nft add rule ip filter input tcp dport 80 meta l4proto tcp \
payload [@th].[@nh,192] \
@eq "BadBot" drop
Nftables offers a more versatile payload matching mechanism, which enables more advanced application layer filtering without the need for extra kernel modules, compared to the other method, but both can do the goal. When dealing with complicated application layer filtering rules, this integrated method might result in higher performance.
Scenario 6: Stateful Firewall with Connection Tracking
Both iptables and nftables provide stateful firewalling via connection tracking. Let’s create a rudimentary stateful firewall that enables established connections while blocking anything else.
Using iptables:
# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow new SSH connections
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
Using nftables:
nft add table ip filter
nft add chain ip filter input { type filter hook input priority 0 \; policy drop \; }
# Allow established connections
nft add rule ip filter input ct state established,related accept
# Allow new SSH connections
nft add rule ip filter input tcp dport 22 ct state new accept
Both technologies handle connection tracking well, but nftables outperforms when it comes to maintaining sophisticated stateful rules, particularly in high-traffic scenarios.
Performance Comparison: iptables vs. nftables
Now, let us discuss performance. In my experience operating high-traffic web servers, the difference is evident, particularly as the ruleset becomes more complicated.
Rule Processing Efficiency
iptables processes rules in a sequential order, which might be sluggish when dealing with big rule sets. nftables, on the other hand, stores rules in a form of binary tree, which speeds up lookups, particularly for complicated rulesets.
I once moved a big e-commerce business from iptables to nftables. The CPU use for packet processing decreased by around 30%. Your mileage may vary, but in high-traffic settings, nftables often has an advantage.
Memory Usage
nftables requires less memory than iptables, particularly when dealing with extensive rule sets. This is owing in part to its more efficient rule storing system, as well as the fact that it does not need separate modules for various protocol families.
Ruleset Updates
When it comes to updating rules, nftables excels. Updating a single rule in iptables sometimes necessitates reloading the whole ruleset, resulting in a short period of inconsistency on your firewall. nftables supports atomic ruleset changes, which means you may alter numerous rules in a single transaction without creating inconsistent intermediate states.
Packet Classification:
nftables has a more sophisticated packet categorization method, resulting in speedier processing speeds, particularly for complicated rulesets. This is especially obvious when working with rules that need many matches or complicated circumstances.
Multi-Threading Support
While both iptables and nftables may benefit from multi-core platforms, nftables was built to handle multi-threading more well. This may contribute to enhanced performance on systems with several CPU cores, particularly when under heavy stress.
Easy to use and maintain
Both technologies have learning curves, but nftables is often simpler to maintain in the long term, particularly for complicated settings.
Rule Management
It can be challenging to change rules in the middle of a long chain with iptables. You may need to repeatedly clear and load entire sets of rules. nftables, on the other hand, makes it easier to add rules and change entire rule sets. During repair times, this function comes in handy:
nft -f /etc/nftables.conf
This statement updates all the rules simultaneously, reducing the likelihood of your firewall malfunctioning during the update process.
Syntax and Readability
In general, nftables has a grammar that is easier to understand and read. This is especially clear when you have to deal with complicated rules or rules for both IPv4 and IPv6. With iptables, you usually need different rules for IPv4 and IPv6, but with nftables, you can use the same set of rules for both.
Debugging and Troubleshooting
The analysis tools in nftables are more powerful. For example, it’s simple to print the whole code in a style that people can understand:
nft list ruleset
This makes it simple to check your firewall settings and fix problems.
The Conclusion: Evolution, Not Revolution
With extensive practical experience using both tools, I have come to the conclusion that nftables is not just another trendy gadget, but rather the next generation of Linux firewalls. However, it doesn’t imply that iptables becomes obsolete all of a sudden.
If you’re embarking on a new project or have the freedom to choose, opt for nftables. With its enhanced syntax, superior performance, and enhanced rule management capabilities, it is a reliable option for contemporary network environments.
Nevertheless, if you’re dealing with established systems that heavily depend on iptables, there’s no urgency to expedite the migration. iptables remains a popular choice, widely recognized for its effectiveness in safeguarding your systems.
Always prioritize the security of your systems, no matter which tool you opt for. Performing regular audits, managing rules diligently, and staying up-to-date on potential vulnerabilities are essential for any vigilant information security analyst, regardless of their preferred approach to firewall management.
Frequently Asked Questions (FAQ)
While not formally deprecated, iptables is no longer being maintained. The Linux kernel group is focused on nftables as a long-term alternative for iptables. However, iptables is still frequently used and maintained by modern Linux systems.
Yes, you may run iptables and nftables on the same system. However, it is typically not encouraged since it might cause misunderstanding and dispute. If you need to utilize both momentarily (for example, during a migration), make sure you understand how they work together and prioritize their rules.
There’s a tool called iptables-translate
that can help convert iptables rules to their nftables equivalents. For example:
iptables-translate -A INPUT -p tcp --dport 22 -j ACCEPT
This will output the nftables equivalent. However, it’s recommended to review and optimize the translated rules, as direct translation might not always result in the most efficient nftables configuration.
In many scenarios, especially with complex rulesets, nftables offers better performance than iptables. This is due to its more efficient rule processing engine and better handling of large rulesets. However, for simple configurations, the performance difference may not be noticeable.
Both iptables and nftables can be used to implement secure firewall configurations. The security implications are more about how you configure your firewall rather than which tool you use. However, nftables’ more intuitive syntax and advanced features like sets and maps can make it easier to implement complex security policies correctly.
Yes, nftables uses a different syntax than iptables. However, many concepts are similar, and the nftables syntax is often considered more intuitive and consistent. If you’re familiar with iptables, you’ll find many parallels in nftables, making the learning curve less steep.
Yes, nftables has excellent support for IPv6. In fact, one of nftables’ advantages is its unified approach to handling both IPv4 and IPv6 traffic, often allowing you to create a single ruleset for both protocols.
While nftables is generally more flexible and powerful, there might be specific scenarios where iptables is still preferred:
- Legacy systems or applications that explicitly require iptables
- Environments where sysadmins are more familiar with iptables and immediate migration isn’t necessary
- Certain specialized networking setups that rely on iptables-specific features
You can back up your nftables ruleset using the following command:
nft list ruleset > nftables_backup.nft
To restore the ruleset:
nft -f nftables_backup.nft
nftables requires a Linux kernel version 3.13 or newer. However, for full feature support and best performance, it’s recommended to use more recent kernel versions (4.10+). Always check your distribution’s documentation for specific compatibility information.