Back to Blog
LinuxUbuntuAdvanced NetworkingSysAdminTutorial

iptables and nftables on Ubuntu: basic rules and migration

Complete tutorial on iptables/nftables in Ubuntu. Learn filter table, NAT, persistence.

Daniel Urbano
October 30, 2025
8 min read
iptables and nftables on Ubuntu: basic rules and migration

Iptables and Nftables on Ubuntu: Basic Rules and Migration

Introduction

In the realm of Linux networking, iptables and nftables serve as essential tools for managing network traffic and securing systems through packet filtering, NAT (Network Address Translation), and more. Iptables has long been the de facto standard for firewall management on Linux, but as technology evolves, nftables has emerged as its successor, offering a more streamlined and efficient framework for packet filtering and NAT. This transition is crucial as it not only improves performance but also simplifies the management of complex firewall rules.

Understanding how to implement basic rules with both iptables and nftables is critical for network security, particularly in server environments where exposure to threats is high. This tutorial will guide you through the core concepts, practical examples, and migration strategies from iptables to nftables, ensuring you can effectively manage and secure your Ubuntu-based systems.

Prerequisites

  • Ubuntu Version: This tutorial is applicable to Ubuntu 18.04 and later.
  • Required Packages: Ensure you have iptables and nftables installed. You can install them using:
    sudo apt update && sudo apt install iptables nftables
  • Permissions: Root access is required to configure iptables and nftables.
  • Risks: Incorrect configuration may lead to loss of connectivity or unintended exposure of services. Always test configurations in a safe environment before deploying them to production.

Core Concepts

Terminology

  • iptables: A user-space utility that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall.
  • nftables: The successor to iptables, it provides a single interface for packet filtering, NAT, and other features.
  • Chains: Sequences of rules that packets are checked against.
  • Tables: Groups of chains; common tables include filter, nat, and mangle.

Architecture

  • iptables operates using a set of tables: filter, nat, mangle, and raw.
  • nftables consolidates these functions into a single framework with a more efficient syntax and semantics.

When to Use

  • Use iptables for legacy systems or where nftables support is lacking.
  • Use nftables for modern systems to take advantage of its performance and flexibility.

Limits

  • Iptables is limited to IPv4, while nftables supports both IPv4 and IPv6, making it the preferred choice for dual-stack environments.

Syntax/Commands

Command Description
iptables -L List all rules in the filter table
iptables -A Append a rule to a chain
iptables -D Delete a rule from a chain
nft list ruleset List all rules in nftables
nft add rule Add a rule to a specified chain
nft delete rule Delete a rule from a specified chain

Practical Examples

1. Listing Current Rules

# List all iptables rules
sudo iptables -L -n -v

# List all nftables rules
sudo nft list ruleset

2. Basic Input Rule (Iptables)

# Allow incoming SSH connections
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

3. Basic Input Rule (Nftables)

# Allow incoming SSH connections
sudo nft add rule ip filter input tcp dport 22 accept

4. Drop Unwanted Traffic (Iptables)

# Drop all other incoming traffic
sudo iptables -A INPUT -j DROP

5. Drop Unwanted Traffic (Nftables)

# Drop all other incoming traffic
sudo nft add rule ip filter input drop

6. NAT Configuration (Iptables)

# Enable IP forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

# Configure NAT for outgoing connections
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

7. NAT Configuration (Nftables)

# Enable IP forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

# Configure NAT for outgoing connections
sudo nft add table ip nat
sudo nft add chain ip nat postrouting { type nat hook postrouting priority 0; }
sudo nft add rule ip nat postrouting oifname "eth0" masquerade

8. Saving Rules (Iptables)

# Save current iptables rules to a file
sudo iptables-save > /etc/iptables/rules.v4

9. Saving Rules (Nftables)

# Save current nftables rules to a file
sudo nft list ruleset > /etc/nftables.conf

Real-World Scenarios

Scenario 1: Setting Up a Basic Firewall

You are tasked with configuring a firewall on a web server that only needs to accept HTTP and SSH connections. Using either iptables or nftables, you can set up rules to allow these services while denying all other traffic.

Scenario 2: NAT for a Home Router

You are configuring a home router that uses a single public IP address. You can use either iptables or nftables to set up NAT so that internal devices can access the internet.

Scenario 3: Migrating from Iptables to Nftables

If your system is using iptables and you want to migrate to nftables for better performance, you can export your existing rules and adapt them to the nftables syntax, ensuring continuity and enhanced security.

Best Practices

  1. Backup Configurations: Regularly back up your iptables or nftables rules to avoid loss of configuration.
  2. Test Rules: Always test new rules in a staging environment before deploying them to production.
  3. Use Descriptive Comments: Include comments in your rules to document their purpose for future reference.
  4. Limit Exposure: Only allow necessary services and block all unused ports.
  5. Regularly Review Rules: Periodically review and update your firewall rules to adapt to changing security needs.

Common Errors

1. Error Message: "iptables: No chain/target/match by that name"

  • Cause: Attempting to reference a non-existent chain.
  • Fix: Ensure the chain exists or create it before adding rules.

2. Error Message: "nft: Error: Could not parse rule"

  • Cause: A syntax error in the rule.
  • Fix: Double-check the rule syntax against the nftables documentation.

3. Error Message: "Permission denied"

  • Cause: Insufficient permissions to modify firewall rules.
  • Fix: Run the command with sudo or as the root user.

4. Error Message: "Connection timed out"

  • Cause: Firewall rules blocking traffic.
  • Fix: Review and adjust your firewall rules to allow necessary traffic.

Related Commands

Command Description
ufw Uncomplicated Firewall, a user-friendly interface to manage iptables
firewalld A dynamic firewall manager with zones and services support
iptables-persistent Save and restore iptables rules on reboots
nft Command-line utility for nftables management

Automation Script

Here’s a simple automation script to set up a basic nftables configuration:

#!/bin/bash
# Setup basic nftables configuration

# Flush existing rules
nft flush ruleset

# Create a new table and chains
nft add table ip filter
nft add chain ip filter input { type filter hook input priority 0; }
nft add chain ip filter forward { type filter hook forward priority 0; }
nft add chain ip filter output { type filter hook output priority 0; }

# Allow established connections
nft add rule ip filter input ct state established,related accept

# Allow SSH and HTTP
nft add rule ip filter input tcp dport 22 accept
nft add rule ip filter input tcp dport 80 accept

# Drop all other incoming traffic
nft add rule ip filter input drop

# Save rules to a file
nft list ruleset > /etc/nftables.conf

echo "nftables configuration applied successfully."

Conclusion

In this tutorial, we explored the foundational concepts, commands, and practical examples of iptables and nftables on Ubuntu. Understanding how to manage firewall rules effectively is crucial for securing your Linux systems. As you gain experience, consider migrating to nftables for its efficiency and modern capabilities. Keep practicing and refining your firewall rules, and ensure you stay updated with best practices in network security.

References