Migrate existing Iptables to Nftables in RHEL8/CentOS

Introduction

In today’s guide let’s walk through how to migrate iptables to nftables from any RHEL 6 or 7 Linux servers to RHEL 8 based operating systems. The feature of migrating iptables to nftables eliminates a lot of pain in rewriting complex iptables rules.

Currently, we are running on RHEL 7, The requirement is to migrate our running production from RHEL 7 to 8. In this case, we need more flexibility during the whole migration process. To make the migration smoother RHEL 8 and variants comes with “iptables-restore-translate” command which helps to migrate the existing iptables rules to nftables.

iptables to nftables migration

Before starting with migration, let’s prepare by saving the rules to a file.

If you are looking to start with SELinux, click to read now

Export IPtables to a file

First of all, we need to save all our iptables rules by redirecting to a file in any name and extension. This is simple as we do in our usual daily activities.

# iptables-save > iptables_rules.txt

Next step to verify.

Verify the Existing Rules

To verify the saved rules just do a cat and go through the rules. Make sure to confirm whether all the rules are saved.

# cat iptables_rules.txt

It’s confirmed we have only a few rules as shown below.

[root@sysadmins ~]# cat iptables_rules.txt 
# Generated by iptables-save v1.4.21 on Tue Aug 27 23:47:24 2019
*filter
:INPUT ACCEPT [107:10038]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [62:8606]
-A INPUT -p udp -m udp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5269 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Tue Aug 27 23:47:24 2019
[root@sysadmins ~]#

Once the rules are saved, copy the file “iptables_rules.txt” to the destination server running on RHEL 8 based operating system.

Convert the Iptables to nftables

On the RHEL 8 based operating system, Start to convert the iptables rules by running translate command by specifying the copied iptables file and redirect the output to save as nft rules.

# iptables-restore-translate -f iptables_rules.txt > nft_ruleset.nft

we have converted our iptables rules to nftables.

Load and Import the rules

Load the rules using -f option by specifying the converted “nft_ruleset.nft” rules file.

# nft -f nft_ruleset.nft

Once run with the above command we are done with import the rules into nft.

List and verify the nftables

Finally, list and verify the imported rules.

# nft list ruleset

While listing, We should see as shown below.

[root@spacewlk ~]# nft list ruleset
table ip filter {
	chain INPUT {
		type filter hook input priority 0; policy accept;
		udp dport ldaps ct state established,new counter packets 0 bytes 0 accept
		tcp dport ldaps ct state established,new counter packets 0 bytes 0 accept
		udp dport ldap ct state established,new counter packets 0 bytes 0 accept
		ct state new tcp dport ssh counter packets 0 bytes 0 accept
		tcp dport ldap ct state established,new counter packets 0 bytes 0 accept
		ct state new tcp dport xmpp-server counter packets 0 bytes 0 accept
		ct state new tcp dport xmpp-client counter packets 0 bytes 0 accept
		ct state new tcp dport https counter packets 0 bytes 0 accept
		ct state new tcp dport http counter packets 0 bytes 0 accept
	}

	chain FORWARD {
		type filter hook forward priority 0; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 0; policy accept;
		ct state new tcp dport ssh counter packets 0 bytes 0 accept
		ct state new tcp dport https counter packets 0 bytes 0 accept
		ct state new tcp dport http counter packets 0 bytes 0 accept
	}
}

That’s it we have successfully migrated our existing iptables rules to nftables without spending time on writing any nftable rules.

Conclusion

Migrate iptables to nftables: Availability of convert tool made life easier with few steps. Subscribe to our newsletter and stay tuned for upcoming Linux articles. Your feedback is welcome through below comment section.

3 thoughts on “Migrate existing Iptables to Nftables in RHEL8/CentOS

  1. I followed the procedures and successfully loaded some weird 8081 port configurations needed for the app, however I discovered it did not save after server reboot.

    Is there a second step to make the loaded .nft records permanent?

  2. Thanks, it makes easy to convert iptable rules to nftable rules.
    This explains the iptable rules moving to nftable rules. what about the installation of nftables..?

    1. @Anonymous,

      By default, RHEL 7.x and 8.x will come with nft. If you need to install you can use.

      # yum provides nft
      # yum install nftables -y

      Thanks & Regards,
      Babin Lonston

Comments are closed.