Advice for migrating from IPTABLES to NFTABLES

[rab0171610]

I recently migrated from kernel version 6.12 to 6.18. Upon reboot I noticed that UFW did not start. After reading the error message, I realized I needed to enable the legacy IP TABLES module. After loading the module, the UFW (firewall) is working as before.
That being said, I did read that UFW has support for using either IP Tables or Nftables as the backend.
I have looked at the Nftables Gentoo wiki. I am not sure what I will need to do other than install nftables to make the migration.
Can anyone explain the basics of what I should expect or is it as simple as installing nftables? I do not recall ever having to set up Iptables, it is simply installed on my system.
Thanks in advance.

[pietinger]

[...] That being said, I did read that UFW has support for using either IP Tables or Nftables as the backend. [...]

Yes, that’s what everyone says:
https://wiki.archlinux.org/title/Uncomplicated_Firewall
... but I found only one page explaining HOW to get ufw to use nftables:
Post #9 of https://bbs.archlinux.org/viewtopic.php?id=303046

[...] I am not sure what I will need to do other than install nftables to make the migration. [...]

I dont know also ... maybe you must de-install iptables and emerge nftables ... but

[...] I do not recall ever having to set up Iptables, it is simply installed on my system. [...]

... you have iptables because iproute2 (installed by @system in stage3) has enabled the Use-flag "iptables" by default (*). So, maybe you must re-emerge iproute2 without this Use-flag and can then de-install iptables ... but ...

I would suggest to simply emerge "nftables" and then configure it directly ... yes, I am not a fan of ufw ... see also:
https://wiki.gentoo.org/wiki/User:Pieti ... x_FireWall


*)

Code: Select all

# emerge -cpv iptables

Calculating dependencies... done!
  net-firewall/iptables-1.8.11-r1 pulled in by:
    sys-apps/iproute2-6.18.0 requires >=net-firewall/iptables-1.4.20:=, >=net-firewall/iptables-1.4.20:0/1.8.3=

>>> No packages selected for removal by depclean
[...]
 
# emerge -cpv iproute2

Calculating dependencies... done!
  sys-apps/iproute2-6.18.0 pulled in by:
    @system requires sys-apps/iproute2

[rab0171610]

Thank you pietinger. I will look into all of your information and links.
Yes, I had read that part about UFW and nftables/iptables backend at the Arch Linux link
you posted.
I do not have strong feelings about UFW one way or the other. I only have a handful of rules.
I set it up as a VPN kill switch following tutorials. If the Tun0 interface goes down, all internet traffic is halted
but local network is unaffected. All local network traffic is allowed.
It was easy to set up initially, the rules were human readable and logical, and it has worked well for years without need for modification.
Basically:
"Set the default rules to DENY ALL
Allow in/out on the local private network
Allow traffic out on the VPN tunnel adapter (tun0)
Allow UDP traffic out to the VPN server so VPN client can connect
Enable UFW. It should fail anytime the VPN is down."
I am also behind a router with a firewall.
It runs as as systemd service so I can easily see if it fails to load. I can easily check the status as needed.

I do not really understand IP tables or nftables on a granular level, so ufw was easier for me to set up.
I didn't even know that Iptables was being phased out and nftables was being phased in until this happened.
Should I leave things as they are for now or should I feel a sense of urgency to migrate to nftables?
What is your opinion?

[grknight]

Another option is to set the nftables USE on net-firewall/iptables to use the compatibility layer (after selecting with eselect iptables). A reboot is often required to load rules correctly at startup.

Then, things will continue as normal with apps that call iptables.

This gives time to study other options and be prepared with the right tools

[rab0171610]

grknight, thank you.

[pietinger]

[...] I didn't even know that Iptables was being phased out and nftables was being phased in until this happened.
Should I leave things as they are for now or should I feel a sense of urgency to migrate to nftables?
What is your opinion?

Yes, iptables (and IPv4 support) will probably be phased out at some point ... but my personal assessment is that this won’t happen for another 10 or 15 years. So, my opinion is: Never change a working solution

(As you can see/read in my article, I am still on iptables)

[rab0171610]

Thanks pietinger. I was not able to come to a understanding of where things stand.

For the record, the Gentoo UFW ebuild depends on Iptables.
Also:
https://bugs.launchpad.net/ufw/+bug/2114851

Code: Select all

Make ufw depends on nftables instead iptables
Bug #2114851 reported by Marcos Alano on 2025-06-17

I think for now UFW still requires iptables as a backend.

I agree with your advice. It is working now that I have enabled the
legacy iptables kernel module. I will leave it until migration becomes
best practice.

Hopefully all of this information clears things up for anyone that is curious about the implications of

Code: Select all

iptables is a program used to configure and manage the kernel's netfilter modules. It should be replaced with its successor nftables. 

https://wiki.gentoo.org/wiki/Iptables
And

Code: Select all

nftables is the successor to iptables. It replaces the existing iptables, ip6tables, arptables, and ebtables framework. It uses the Linux kernel and a new userspace utility called nft. nftables provides a compatibility layer for the iptables/ip6tables and framework. 

https://wiki.gentoo.org/wiki/Nftables

If and when I get time, I will try to migrate to nftables and (if necessary) test UFW with the nftables compatibility layer. I will report back with any results or observations. Eventually, the roadmap might be that I get rid of UFW all together and instead rely on nftables directly for my limited purpose of a VPN kill switch.
Thanks again everyone.

[pietinger]

[...] Eventually, the roadmap might be that I get rid of UFW all together and instead rely on nftables directly for my limited purpose of a VPN kill switch. [...]

IMHO the best option.

Thanks pietinger. [...]

You are very Welcome!

[rab0171610]

I think what I like about UFW is that the syntax is very much reminiscent of setting up Cisco equipment, using human readable statements in a deliberate sequence to set up the firewall. Block everything and then make exceptions while ensuring you don't lock yourself out if working remotely. Having to call and have someone in another state to do a hard reset on the physical equipment is embarrassing if you forget to block everything except yourself.

The word "table" in iptables and nftables gives the impression of data entry or spreadsheets for example. In other words, opening up the configuration files and manipulating the entire thing at once, i.e. editing or creating tables. I was never attracted to that per se because it seems like so many things could go wrong if I mistype something or the syntax is slightly off.

I will report back if I make any significant progress.

[flexibeast]

I think what I like about UFW is that the syntax is very much reminiscent of setting up Cisco equipment, using human readable statements in a deliberate sequence to set up the firewall.

From a quick look at UFW's syntax, it seems broadly similar to the syntax of OpenBSD's PF, which i certainly find more pleasant than iptables' syntax (and perhaps nftables' syntax, although i haven't spent much time with it yet).

[rab0171610]

https://wiki.gentoo.org/wiki/Nftables
I do not understand any of that. It is currently way too complicated for me. I will just stick with the UFW setup for the time being and see how things progress over time.

The default UFW policy is to deny.
This is my current UFW rule set. It allows traffic to and from on tun0 (VPN tunnel), allows local network traffic in and out, DNS OUT, and OUT to the VPN server's IP.

Code: Select all

To                         Action      From
--                         ------      ----
Anywhere on tun0           ALLOW       Anywhere                  
192.168.0.0/24             ALLOW       Anywhere                  
Anywhere                   ALLOW       192.168.0.0/24            

Anywhere                   ALLOW OUT   Anywhere on tun0          
192.168.0.0/24             ALLOW OUT   Anywhere                  
53/udp                     ALLOW OUT   Anywhere                  
53/tcp                     ALLOW OUT   Anywhere                  
xxx.xxx.xx.xxx 1194/udp    ALLOW OUT   Anywhere  

(with xxx being the ip of the vpn)
Since the default UFW policy is to deny, there is no internet traffic if the VPN tunnel/tun0 goes down.
The router DNS override addresses are set to the VPN's DNS servers.

I can't imagine every having enough understanding of nftables to have the skills needed to directly configure it to do the equivalent of the above UFW rule set.

[wjb]

There are links to the nftables wiki at the end of the Gentoo wiki page, which I personally found much more readable. A useful section is "Moving from iptables to nftables", which was enough to get my iptables rules converted to nftables. From there, with a concrete representation of what I wanted, it was possible to figure out what was going on.

[rab0171610]

There are links to the nftables wiki at the end of the Gentoo wiki page, which I personally found much more readable. A useful section is "Moving from iptables to nftables", which was enough to get my iptables rules converted to nftables. From there, with a concrete representation of what I wanted, it was possible to figure out what was going on.

Thank you for pointing that out, my eyes glazed over and my head was spinning by the time I scrolled that far down the Gentoo nftables wiki page.
I will look at those links again, especially https://wiki.nftables.org/wiki-nftables ... o_nftables .

[pietinger]

[...]The default UFW policy is to deny.
This is my current UFW rule set. It allows traffic to and from on tun0 (VPN tunnel), allows local network traffic in and out, DNS OUT, and OUT to the VPN server's IP.

Code: Select all

To                         Action      From
--                         ------      ----
[...]                 
192.168.0.0/24             ALLOW       Anywhere                  
Anywhere                   ALLOW       192.168.0.0/24            

[...]       
192.168.0.0/24             ALLOW OUT   Anywhere                  
[...]

I am confused ... why do you need an ALLOW OUT when you have already an ALLOW (all) ?

Maybe your setting is not very secure ... but ... iptables has a (small) advantage: It saves the amount of checked packets of a rule by default (with nftables you must define it with "counter") ... so, if you do an

Code: Select all

# iptables -L -vn

you will see all rules ... AND ... if some rules are never used (because the package counter is zero).

[...] I can't imagine every having enough understanding of nftables to have the skills needed to directly configure it to do the equivalent of the above UFW rule set.

Another way to get all iptables rules is "iptables-save". If you give me both outputs of your iptables, I could write it for nftables ... and ... maybe ... make it a little bit more secure ...

[pietinger]

There are links to the nftables wiki at the end of the Gentoo wiki page, which I personally found much more readable. A useful section is "Moving from iptables to nftables", which was enough to get my iptables rules converted to nftables. From there, with a concrete representation of what I wanted, it was possible to figure out what was going on.

Thank you for pointing that out, my eyes glazed over and my head was spinning by the time I scrolled that far down the Gentoo nftables wiki page.
I will look at those links again, especially https://wiki.nftables.org/wiki-nftables ... o_nftables .

Let me quote from my article:
https://wiki.gentoo.org/wiki/User:Pieti ... l_Firewall
->

The most important link at all:

https://wiki.nftables.org/wiki-nftables ... /Main_Page

Most important command: nft list ruleset

If you install the iptables package with the Use-flag "nftables", you get a great program: iptables-translate ... guess what it does

[rab0171610]

I am confused ... why do you need an ALLOW OUT when you have already an ALLOW (all) ?

You are right, I do not. I once was troubleshooting a local kde-filesharing/avahi/network discovery issue and forgot to delete a temporary rule.

https://wiki.gentoo.org/wiki/User:Pieti ... l_Firewall
I will bookmark this for future reading. I have some research to do.
Thanks again for all of the pointers and information. I am sure after extensive review it will be easier to understand.