DEV Community

Cover image for iptables vs nftables: What’s New in Linux Firewalling?
Farshad Nickfetrat
Farshad Nickfetrat

Posted on

iptables vs nftables: What’s New in Linux Firewalling?

When it comes to managing firewall rules on Linux, iptables has been the go-to tool for years. But now, there’s a new sheriff in town: nftables. It’s more efficient, more flexible, and it’s slowly becoming the default for modern Linux distributions. If you're wondering what the fuss is all about, let's dive into the differences between these two and see how they compare in real-world scenarios.

A Quick Overview

iptables has been around since the early 2000s. It’s tried and true, but it’s also starting to show its age, especially when dealing with large, complex firewall configurations. Enter nftables, a more modern alternative introduced in 2014. nftables was designed to address many of the limitations of iptables, bringing better performance and more flexible rule management.

At a high level:

iptables: Solid, but separate tools for IPv4, IPv6, and ARP filtering, and it can get messy with large rule sets.

nftables: Unified syntax for all protocols (IPv4, IPv6, ARP, and more) and supports more efficient handling of complex rules.
Enter fullscreen mode Exit fullscreen mode

Image description

Now let’s compare them in action!


Basic Syntax: Blocking Traffic on Port 22 (SSH)

Say you want to block incoming SSH connections on port 22. Here’s how you’d do it in each:

  • iptables:

    
    iptables -A INPUT -p tcp --dport 22 -j DROP
    
    

    Pretty straightforward! This command adds a rule to block incoming TCP traffic on port 22.

  • nftables:

    
    nft add rule inet filter input tcp dport 22 drop
    
    

    In nftables, it’s just as simple, but notice the keyword inet. It’s a unified table for both IPv4 and IPv6 traffic, so you don’t need separate rules like you would with iptables.


Allowing Traffic from a Specific IP Range

Next, let’s allow traffic from a certain subnet, like 192.168.1.0/24.

  • iptables:

    
    iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
    
    

    Here, we append a rule to allow traffic from the subnet.

  • nftables:

    
    nft add rule inet filter input ip saddr 192.168.1.0/24 accept
    
    

    Notice that nftables uses ip saddr (source address), which is more descriptive and works for both IPv4 and IPv6.


Dealing with NAT (Network Address Translation)

If you’re setting up source NAT (SNAT) for outbound traffic, the commands look a bit different.

  • iptables:

    
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.5
    
    

    This is your classic iptables rule for source NAT on the eth0 interface.

  • nftables:

    
    nft add rule ip nat postrouting oif "eth0" snat to 203.0.113.5
    
    

    nftables syntax is cleaner here, using oif for the output interface and snat for source NAT. No need for -t nat because nftables handles everything within the same framework.


Handling Multiple IPs or Ports with Ease

Here’s where nftables really starts to shine. Let’s say you want to block traffic from multiple IP addresses.

  • iptables:

    
    iptables -A INPUT -s 192.168.1.10 -j DROP
    
    iptables -A INPUT -s 192.168.1.20 -j DROP
    
    

    Each IP requires a separate rule in iptables. Imagine if you had 100 IPs to block. Your rule set would get really long!

  • nftables:

    
    nft add set inet filter blocked_ips { type ipv4_addr\; }
    
    nft add element inet filter blocked_ips { 192.168.1.10, 192.168.1.20 }
    
    nft add rule inet filter input ip saddr @blocked_ips drop
    
    

    nftables lets you create a set of blocked IPs and apply the rule to all of them in one go. Way more efficient, right?


Logging Packets for Debugging

When debugging network traffic, logging is super helpful. Here’s how you log traffic on port 80 (HTTP).

  • iptables:

    
    iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "HTTP Traffic: "
    
    
  • nftables:

    
    nft add rule inet filter input tcp dport 80 log prefix "HTTP Traffic: "
    
    

nftables has the same functionality but with slightly cleaner syntax. Plus, nftables offers more advanced logging options, like counters and limits, making it easier to control log volume.


Efficiency & Performance

If you're dealing with a large number of firewall rules or complex traffic filtering, nftables blows iptables out of the water in terms of efficiency. nftables is designed to handle maps, sets, and stateful traffic with less CPU usage, so you’ll notice better performance, especially in high-traffic environments.

  • iptables processes rules in a linear fashion, so as your rule set grows, performance can drop.

  • nftables uses optimized data structures (like sets and maps) to handle rules more efficiently.


Atomic Rule Changes

One of nftables’ killer features is the ability to make atomic rule updates. This means you can load a whole new set of rules without any downtime or partial rule application.

With iptables, you have to update rules one by one, which could lead to mistakes or even security gaps if you’re not careful.

With nftables, you can write your rules into a file and apply them all at once:


nft -f /etc/nftables.conf

Enter fullscreen mode Exit fullscreen mode

This way, your firewall rules are always consistent, and you avoid the risk of misconfigurations during updates.


Backward Compatibility

The good news is, nftables can support iptables rules through a compatibility layer. So, if you’ve been using iptables for years and don’t want to completely rewrite your firewall rules, you can transition to nftables gradually. Just keep in mind that as Linux continues to evolve, nftables will be the default, so it's worth learning it now.


Conclusion: Should You Switch to nftables?

If you’re managing a modern Linux system and want better performance, flexibility, and a cleaner syntax, nftables is definitely the way to go. It handles complex rule sets more efficiently, offers atomic rule updates, and provides a unified interface for IPv4, IPv6, and other protocols. Plus, it’s the future of Linux firewall management.

That said, iptables still works, and if you’ve got a simple setup or a legacy system, it’s perfectly fine to keep using it. But if you’re scaling up or managing complex environments, making the switch to nftables will save you a lot of time and headaches.


So, what do you think? Ready to give nftables a shot?

Top comments (0)