Migrating from iptables to nftables

Hi everyone,

I’m struggling a bit finding a ressource that tells me how to migrate from iptables to nftables.

I’m running Manjaro with:

• Linux 6.18.18-1
• iptables 1:1.8.11-2
• nftables 1:1.1.6-3

systemctl is-enabled nftables
disabled

So I plan doing something like this:

sudo iptables-save > iptables-rules.txt
iptables-restore-translate -f iptables-rules.txt 

sudo ip6tables-save > ip6tables-rules.txt
ip6tables-restore-translate -f ip6tables-rules.txt

However, it would be nice with some kind of walkthrough, since the topic is a bit confusing. E.g. there is also the package iptables-nft, which I guess is another way to migrate than converting the iptables rules, and makes iptables use nftables underneath(?)

Any help much appreciated

Just FYI, the iptables-nft package will soon be replaced by iptables using the nft interface and the legacy backend will be available as iptables-legacy.

Ok so I have tried this:

sudo iptables-save > iptables-rules.txt
iptables-restore-translate -f iptables-rules.txt 
# bunch of output of converted iptable rules now in nftable format
sudo nft list ruleset
# no output

So why is there no output when I make nft list the ruleset?

I had planned to follow up with enabling and starting the nftable service, but since the ruleset is empty I don’t see much point.

systemctl enable nftables.service --now

It is:
sudo iptables-restore-translate -f iptables-rules.txt >> /etc/nftables.conf

Why >> append tonftables.conf? Would an overwrite > not ensure that I get a 1:1 translation of iptable rules without anything new added?

Out of habit. In this case, you can also completely overwrite the file.

Ok, so thats the iptable rules, but what about the ip6table rules. Should they be appended to nftables.conf?

Yes, exactly!

Ok, I think I got it. Here’s what I’ve done

Convert the iptable rules

sudo iptables-save > iptables-rules.txt
iptables-restore-translate -f iptables-rules.txt > iptables-ruleset.nft
sudo nft -f iptables-ruleset.nft
sudo nft list ruleset

Review the nft rules to check if they look ok.

sudo ip6tables-save > ip6tables-rules.txt
ip6tables-restore-translate -f ip6tables-rules.txt > ip6tables-ruleset.nft
sudo nft -f ip6tables-ruleset.nft
sudo nft list ruleset

Review the nft rules to check if they look ok.

If everything looks OK, then save it.

sudo nft list ruleset | sudo tee /etc/nftables.conf

Looks good to me.

I guess the last thing I should do is enabling nftables?

systemctl enable nftables.service --now

I guess that all your communication will now be routed to North Korea!

One very important thing is not to store counter state in /etc/nftables.com since that will make counters not update as expected when doing something on the network and monitoring by watching the counters.

sudo watch -d -n 1 'nft list table ip filter`

It’s a trap I got caught in because I wrote the output from nft list ruleset directly into nftables.conf with counter information. The solution is to do some cleanup.

# This does not work - counter information is bad in nftable.conf
chain FORWARD {
   type filter hook forward priority filter; policy drop;
   counter packets 276 bytes 108725 jump DOCKER-USER
   counter packets 276 bytes 108725 jump DOCKER-FORWARD
}

# Remove counter state :-)
chain FORWARD {
   type filter hook forward priority filter; policy drop;
   counter jump DOCKER-USER
   counter jump DOCKER-FORWARD
}

Removing counter state from nftable.conf will make counters update as expected.

Also add the following to the top of the nftable.conf file.

#!/usr/bin/nft -f
flush ruleset

And the path to nft might be different on other distributions, but surely everyone reading along here are using Manjaro - right?

Thanks @Yochanan and @pwx - it seems like everything is working with nftables. Hopefully without routing all my communication to North Korea

I had some trouble with Docker. So here’s what I did.

Install the package iptables-nft. By doing this Docker will still “think” that it uses iptables but in reality it’s just a wrapper around nftables. The package will also remove the old iptable package.

sudo pacman -S iptables-nft
# verify
iptables --version
iptables v1.8.11 (nf_tables)

When Docker starts up it injects it’s own rules into the firewall, so no need to have those rules in the /etc/nftable.conf file.

When updating the firewall remember to restart docker, so that it can inject it’s own firewall rules.

# change setup
sudo vim /etc/nftables.conf
# reload rules
sudo nft -f /etc/nftables.conf
# restart docker
sudo systemctl restart docker

I had a fun time debuging the firewall, because of the drop policy on the inet filter on the forward chain. To enable Docker containers to initiate outbound communication make some rules for that in the /etc/nftable.conf file - Docker won’t do it, since it does not know your security model.

I’ve added two rules for accepting packets if the incoming interface is either docker0 or some bridge created by Docker, which requires a wildcard br-*.

table inet filter {
	chain forward {
	    type filter hook forward priority filter; policy drop;
	    ct state { established, related } accept
	    ct state invalid drop
	    iifname "docker0" accept
	    iffname "br-*" accept
	    counter
	}
}

And that’s it.

It could be fun (at some time) to try using Docker with the experimental support for nftables by adding /etc/docker/daemon.json with the content

{
  "firewall-backend": "nftables"
}

But I have already had more drama than I need for today - I’m not a total masochist

Hello @Yochanan

Does that mean that the package iptables-nft will be renamed to iptables?
And does that also mean that systems will switch from iptables to nftables automatically?

Yes and yes.

This article arrived in my RSS reader today:

The announcement from Arch:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.