Introduction

In today’s guide let’s walk through how to migrate iptables to nftables from any RHEL 6 or 7 Linux servers to RHEL 8 based operating systems. The feature of migrating iptables to nftables eliminates a lot of pain in rewriting complex iptables rules.

Currently, we are running on RHEL 7, The requirement is to migrate our running production from RHEL 7 to 8. In this case, we need more flexibility during the whole migration process. To make the migration smoother RHEL 8 and variants comes with “iptables-restore-translate” command which helps to migrate the existing iptables rules to nftables.

iptables to nftables migration

Before starting with migration, let’s prepare by saving the rules to a file.

If you are looking to start with SELinux, click to read now

Export IPtables to a file

First of all, we need to save all our iptables rules by redirecting to a file in any name and extension. This is simple as we do in our usual daily activities.

# iptables-save > iptables_rules.txt

Next step to verify.

Verify the Existing Rules

To verify the saved rules just do a cat and go through the rules. Make sure to confirm whether all the rules are saved.

# cat iptables_rules.txt

It’s confirmed we have only a few rules as shown below.

[root@sysadmins ~]# cat iptables_rules.txt 
# Generated by iptables-save v1.4.21 on Tue Aug 27 23:47:24 2019
*filter
:INPUT ACCEPT [107:10038]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [62:8606]
-A INPUT -p udp -m udp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5269 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Tue Aug 27 23:47:24 2019
[root@sysadmins ~]#

Once the rules are saved, copy the file “iptables_rules.txt” to the destination server running on RHEL 8 based operating system.

Convert the Iptables to nftables

On the RHEL 8 based operating system, Start to convert the iptables rules by running translate command by specifying the copied iptables file and redirect the output to save as nft rules.

# iptables-restore-translate -f iptables_rules.txt > nft_ruleset.nft

we have converted our iptables rules to nftables.

Load and Import the rules

Load the rules using -f option by specifying the converted “nft_ruleset.nft” rules file.

# nft -f nft_ruleset.nft

Once run with the above command we are done with import the rules into nft.

List and verify the nftables

Finally, list and verify the imported rules.

# nft list ruleset

While listing, We should see as shown below.

[root@spacewlk ~]# nft list ruleset
table ip filter {
	chain INPUT {
		type filter hook input priority 0; policy accept;
		udp dport ldaps ct state established,new counter packets 0 bytes 0 accept
		tcp dport ldaps ct state established,new counter packets 0 bytes 0 accept
		udp dport ldap ct state established,new counter packets 0 bytes 0 accept
		ct state new tcp dport ssh counter packets 0 bytes 0 accept
		tcp dport ldap ct state established,new counter packets 0 bytes 0 accept
		ct state new tcp dport xmpp-server counter packets 0 bytes 0 accept
		ct state new tcp dport xmpp-client counter packets 0 bytes 0 accept
		ct state new tcp dport https counter packets 0 bytes 0 accept
		ct state new tcp dport http counter packets 0 bytes 0 accept
	}

	chain FORWARD {
		type filter hook forward priority 0; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 0; policy accept;
		ct state new tcp dport ssh counter packets 0 bytes 0 accept
		ct state new tcp dport https counter packets 0 bytes 0 accept
		ct state new tcp dport http counter packets 0 bytes 0 accept
	}
}

That’s it we have successfully migrated our existing iptables rules to nftables without spending time on writing any nftable rules.

Conclusion

Migrate iptables to nftables : Availability of convert tool made life easier with few steps. Subscribe to our newsletter and stay tuned for upcoming Linux articles. Your feedback is welcome through below comment section.

LEAVE A REPLY

Please enter your comment!
Please enter your name here